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ABSTRACT 


Computations related to elliptic curves over finite fields have in recent years gained 
much attention not only because elliptic curves over finite fields are a rich source of 
abelian groups which can be used to implement public key cryptosystems but also 
because they have stimulated a new direction of research in computational number 
theory. Common to all the computational problems Is the design of suitable elliptic 
curves e.g.primality proving. For the implementation of elliptic curve cryptosystems, 
we need to construct nonsuperslngular curves which have the given large group order 
over large finite fields. The finite fields which are of practical intrest are the prime 
fields and those extensions of GF(2) which have an optimal normal basis in them. 
In this thesis, we will see the computations involved in the design of such suitable 
curves and those related to the implementation of cryptosystems using those curves. 
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Chapter 1 

Introduction 


The invention of public key cryptography by Diffe and Heilman in 1976 not only revo- 
lutionized the field of cryptography, but also had a profound effect on the direction of 
research in computational number theory. For the first time the question of the relative 
complexity of various number-theoretic tasks took on a practical urgency. 

The first usable public key system, introduced in 1978, was the RSA cryptosystem, 
which is based on the problem of factoring large integers. RSA soon became the best 
known and most widely used public key cryptosystem. It stimulated a tremendous amount 
of research on the twin subjects of factoring and primality testing. 

Another type of public key cryptography — based the discrete analogue of the loga- 
rithm function — gave rise to a second current of research in computational number theory. 
The discrete log problem was first considered in the multiplicative group of a finite field, 
especially a prime finite field or a finite field of characteristic of 2 (since these fields seemed 
to be the most practical for implementation). Although discrete log cryptosystems have 
been in the public eye much less than RSA, the discrete log problem and related issues have 
been recieving considerable attention in the research community. The practical questions 
that have arisen in dicrete log cryptography have served as an impetus for much work on 
the stucture of finite fields and the complexity of certain tasks related to this structui-c. 

In 1985 a variant of discrete log cryptography was proposed, based on the discrete log 
problem in the group of points of an elliptic curve defined over a finite field. Cryptosystems 
using discrete logarithms in this group have two potential advantages over systems bfised 
on the multiplicative group of a finite field (and also over systems based on RSA): (1) 
the great diversity of elliptic curves available to provide the groups; and (2) the absence 
of subexponential time algorithms (such as those of ‘index calculus’ type) that could fine 
discrete logs in these groups [Menl]. 
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Of the developments in elliptic curve cr 3 rptography since 1985, the most dramatic was 
the demonstration by Menezes, Okamoto and Vanstone in 1990 that the discrete log prob- 
lem on a so called ‘supersingular’ elliptic curve can be reduced to (i.e., has the same 
complexity as) the discrete log problem in a finite field. This result means that one should 
avoid the (relatively small) set of supersingular curves if one wants to have a cryptosys- 
tem whose cracking problem is, to the best of our current knowledge, of fully ex|joneutial 
complexity. 

Clearly, if devising efficient algorithms for the blocks involved in the implementation of 
any scheme of elliptic curve cryptosystems is one important aspect of research, developing 
an efficient algorithmic procedure for the design of curves suitable for for use in these sys- 
tems is also an important aspect of it. Atkin and Morain first brought out an algorithmic 
procedure, as a by product of their implementation of the so called ‘Elliptic Curve Primal- 
ity Proving’ method proposed by Lenstra [Kobl]. Their method uses Class Field Theory 
and Weber’s Class Invariants. Lay and Zimmer also developed a s imi lar procedure which 
is almost same as that of Atkin and Morain but differs in the chosen Class Invariants and 
the way Class Equations (minimal polynomials of the suitably chosen Class Invariants of 
the Ring Class Field of concern) are computed. They have also developed a procedure to 
design curves over Fon using the Yui-Zagier Reduced Class Equation. 

In this thesis, we will see the algorithmic procedure of Lay and Zimmer and the im- 
plementation of it using the arithmetic packages SIklATH/simcalc and PARI/GP. We will 
also look into all the computations involved in the implementation of elliptic curve cryi> 
tosystems and how to do them efficiently using the currently known best algorithms. Aparr 
from this, we will also look into certain computations related to normal basis arithmetic, 
which will be needed by us. 

The organization of the thesis is as follows: We will first review the arithmetic of elliptic 
curves in Chapter 2. In Chapters 3 and 4, we will see certain aspects related to optimal 
normal basis. Chapter 5 is concerned with the computations involved in the design and 
implementation of elliptic curve cryptosystems. As said above, we will be concerned with 
only the currently known most efficient algorit hms . In Chapter 6, we list the results of our 
implementation of all the algorithms disscused in the previous chapters. 
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Chapter 2 


The Review of Arithmetic Of Elliptic 
Curves 


In this chapter let us look into the main results which help us in understanding the theory 
of elliptic curves from computational point of view. That is we will see those results which 
will lead us to understanding of the problem of building an elliptic curve of given group 
order over large finite fields which we will see in the Chapter 5. 

2.1 Curves Over c 

Let us consider some of the definitions related to the theory of elliptic curves[Silvl] (for the 
basic theory of elliptic curves [Chah] [Rose] [More]). Let F(C) be an elliptic curve defined 
over C and P any point on the curve. (It is assumed that O is the point at infinity) We 
start with the hypothetical map B(C) C defined by: 

f 0J = I 
Jo 

and the two integrals, 

Ui— I uj and Wo = / w 
Ja “ Jp 

which arc called periods of E, which allow us to visualize how elliptic curves have evolved 
out naturally out of the so called elliptic integrals [Alf] [Silvl]. We find that the integral 
I given above is well-defined upto addition of a number of the form UiUi + notoi. Let 

A = \ni^i "b noLOo : no G Z}" 


We have thus 

F : E(C) C/A 
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P w (mod A) 

Using the translation invarince of a;,we can easily verify that is a homomorphism . (The 
group law on C/A being induced by addition on C.Now the quotient space C/A will be 
a Riemann surface (i.e a one dimensional complex manifold complex torus), iff A is a 
lattice; that is iff the periods tci and UI 2 which generate A are linearly independent ov(t R 
[Silvl]. This is the case and F gives a complex analytic isomorphism. Let us now study 
the space C/A for a given lattice A by constructing the inverse to the mapping F ,and 
show that C/A is analytically isomorphic to Ea(C) for a certain elliptic curve E^/C. The 
Uniformization Theorem then says that every elliptic curve(e.c) E/C is isomorphic to 
some £'A,from which we will see that the periods oi E/C are M— linearly independent and 
that F is a. complex analytic isomorphism. 

Let A C C be a lattce, that is , A is a discrete subgroup of C which contains an R— basis 
for C. Now let us see mermorphic functions [Alf] on the quotient space C/A; or equiva- 
lently, mermorphic functions on C which are periodic with respect to the lattice A. 

Def 1: An elliptic function (relative to the lattice A ) is a mermorphic function f{z) 
on C which satisfies 

f{z + u;) = f{z) V io e A, z €C 

The set of all such functions is denoted C(A).C(A) is clearly a field [Alf]. 

The Weierstrass p— function (relative to A) is defined by the series 
p{z. A) = l/z'"- + Y. ~ 1/^^ 

a;€A, uj ^0 

We have 

c = c(pW,p'W) 

That is, every elliptic function is a rational combination of p and p'. 

The Laurnet series for p about z = 0 is given by 

OC 

p{z) = Z~^ + Z2k, 

k=l 

for all z € C with z ^ A, 

p{zf = 4p(z)" - 60G4P(^) - UOGe 

where 

G2a(A) = Y ^ 

a;GA, a/ ^0 
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is the Eisenstien series of weight 2A:(for A) . It is standard notation to set 

92 — = 60 Cj 4 and 

9z = 9 z{A) = 140^6. 

Then the algebraic relation between p{z) and p'{z) reads 

p'{zf = Ap{zf - g2p{z) - gz- 

Let E’/C be an elliptic curve. Since the group law E x E E is given by everywhere 
locally defined functions, we see in particular that E = E(C) is a complex Lie group(i.e a 
complex manifold with a group law given locally by complex analytic functions) . Similarly 
if A C C is a lattice, then C/A with its natural addition is a complex Lie group. The next 
proposition shows that C/A is always complex analytically isomorphic to an elliptic curve. 

Prop 1 : Let gi and gz be the quantities associated to a lattice A C C. 

(a)The polynomial f{x) = 4x^ — g^x — gz has distinct roots. Its discriminant: 


A{A)=gl-27gl 


is not zero. (b)Let E/C be the curve: 

E :y^ = 4x^ - g 2 X - gz, 

which is an elliptic curve from (a). Then the map 

4> : C/A-^E CP^(C) 

: z -^[p{z),p'{z),l] 

is a complex analytic isomorphism of complex Lie groups (that is it is an isomorphism of 
Riemann Surfaces which is a group homomorphism). 

Let Ai and Ao be two lattices in C.If a € C has the property that qAi C Ao, then the 
scalar multiplication by a: 

(j) : C/Ai — > C/Az 
6a{z) = OLZ mod Az 

is clearly a holomorphic homomorphism. The important fact is that these are essentially 
the only holomorphic maps. We have thus the following important theorem which lead to 
some useful conclusions: 


6 



Theorem 1: (a) With the notation as above, the association: 

{q G C : oAi C A2} 

{holomorphic maps (j) : C/A ^ C/A with = 0} 
a—^ (f) a is a bijection 

(b)Let El and E2 be the elliptic curves corresponding to the lattices Ai and Ao as in the 
above proposition. Then the natural inclusion: 

{isogenies : Ei E2} — + 

{holomorphic maps 4 > ■ C/Ai — ^ C/A2 with (p{ 0 ) = 0} 

is a bijection. 

An Immediate corrollary follows: 

Corr l:Let Ei/C and E2/C be elliptic curves corresponding to lattices Ai and A? as in 
the above proposition Then Ei and E2 are isomorphic (over C) iff Ai and A2 are homothetic 
(i.e Ai = q;A2 for some a G C). 

Now we reach the Umformization Theorem for elliptic curves which says that every 
elliptic curve over C is parametrized by elliptic functions. The most natural proof of this 
fact uses the theory of modular functions: that is functions on the set of lattices of C. 
(For example 52 and gz are modular functions) 

Umformization Theorem :Let A,B € C satisfy — 27 B^ 7^ 0. then there exists a 
unique lattice Ai C C such that ^2 (A) = A and gz{A) = B. 

Corr 2: Let E/C be an elliptic curve. Then there exists a lattice A C C, unique up to 
homothety, and a complex analytical isomorphism: 

(^ : C/A E{C) 

= (p(z,A),p'(z,A)) 

of complex Lie groups. 

Much of the preceding material can be summarized as an equivalence of categories 
[Langl]: 

The following categories are equivalent : 

(a) Objects:Elliptic curves over C, 

Maps:Isogenies. 

(b) Objects:Elliptic curves over C. 
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Maps; Complex analytical maps taking O to O. 

(c)Objects:Lattices A C C, upto homothety, 

Maps:Map(Ai, A 2 ) = {a € C : aAi C A 2 }. 

The previous theorem is important in that it allows us to identify End(E) of E/C with 
a certain subring of C. Thus if E/C = C/A as in the previous corrollary. then 

End{E) = {a € C : aA C A} 

Since A is unique upto homothety (Corr 1) , this ring is independent of A. We now use this 
description of End(E) to completely charecterize the possible endomorphism rings which 
can occur. We recall the following definition: 

Def :Let AT be a number field. An order C? of AT is a subring of K which is finetely 
generated as a Z— module and satisfies O0Q= K. 

Now we have the most important theorem in the sense that it is the starting point . 
apart from the results in Class Field Theory which we need. 

Theorem 2: Let E/C be an elliptic curve and let be generators for the lattice A 

associated to E by Corr 2. Then either : 

{i)End{E) = Z or 

(ii)Q(a;i/a; 2 ) is a imaginary quadratic extension of Q, and End(E) is isomorphic to an 
order in Qiuii/ujo). 

As a consequence if the above results , we have the following property of curves over 
fields of characteristic 0; 

Let AT be a field of char=0 and E/K a.n elliptic curves. 

(a) Let m > 1 be an integer. Then 

E[m] = %/mL x Z/mZ 

(b) The endomorphism ring of E is either Z or an order in a imaginary quadratic extension 
of Q. Now let us see some of the properties of elliptic curves defined over a local fields and 
hence look into the results available in the study of group of rational points on an e.c defined 
over a field which is complete w.r.t a discrete valuation, in the following section[Chah] 
[Lang2] [Shaf2] [Langl]. 


2.2 Curves Over Local Fields 

Before looking into the main results, let us look into the notation used in the sequel: 
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Ki a local field, complete w.r.t a discrete valuation. v[Langl] [Chah]. 

Ok’ The ring of integers oi K = {x ^ K : v{x) > 0} 

Ok'. The unit group of Ok = {x •. v{x) = 0} 

M: The maximal ideal of Ok {x £ K : v{x) > 0) 
tt: a uniformizer for Ok (i.e M = kOk) 
k: The residue field of Ok = Ok /M. 

We furthur assume that v is normalized so that ^(Tr) = 1 and both K and k are perfect 
fields [Langl] [Chah]. 

Def :Let E/K be an elliptic curve. A Weierstrass equation is called a mmim.al Wcier- 
strass equation for E at v if v{A) is minimized subject to the condition ai, ao, az. a,}. Of, G 
Ok- This value of u(A) is the valuation of the minimal discriminent of E at v. 

We have the foilwing proposition: 

Prop 3. (a) Every elliptic curve E/K has a minimal Weierstrass equation . 

(b) A minimal Weierstrass equation is imique upto a change of coordinates: 

X — u'x' + r; y = u^y' + u~sx' + t 
with u G Oj( and r,s,t G Ok- 

(c) Conversely if one starts with any Weierstrass equation with coefficients G Ok, then 
any change of coordinates: 


X = u~x' + r; y = u^y' + u^sx' + 1 

used to produce a minimal Weierstrass equation satisfies u, s,t,r £ Ok- 

Reduction modulo 7 r:We next look at the operation of reduction modulo tt which 
we denote by a tilde. Thus, for example, the natural reduction map Ok —^k = Ok/^I 
is denoted t i. Now having chosen a minimal Weierstrass equation mr E / K , we can 
reduce its coefficients modulo tt to obtain a(possibly singular) curve over A namely: 

E : y^ + dixy + d^y = + d^x + 5$ 

The curve E/k is called reduction of E modulo tt. From the above proposition , since' wc 
started with a minimal equation for A, the equation E is unique upto the standard change 
of coordinates for Weierstrass equations over k. 
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Next let P € E{K). We can find homogeneous coordinates P — with 

xo,yo,2o G 0*K.Then the reduced point P = [xo,yoJo] is in E{K). This gives the re- 
duction map. 

E{K) E{K) 

P ^ P 

(for a generalization of this map [Huse]). Now we have the following result regarding the 
points of finite order in the group E{K): 

Prop 4:Let E/ K be an elliptic curve and m > 1 an integer relatively prime to char(7f’). 
(d)The subgroup Ei{K) has no non-trival points of order m. 

(b)If the reduced curve E/ K is non-singular, then the reduction map 

E{K)[m] Eik) 

is injective. (Here E{K)[m] denotes the set of points of order m in E(K)). whereT^i = 
{P G EiK) : P = d}. 

Good And Bad Reduction: 

Def :Let E/K he a.xi elliptic curve, and let E be the reduced curve for a minimal Weierstrass 
equation. 

(a) E has good(stable) reduction over PT if P is nonsingular. 

(b) E has multiplicative (or semistable) reduction overK if P has a node [Abh] [Chah]. 

(c) E has additive (or unstable) reduction over K if E has a cusp[Abh] [Chah] [Menl]. 

Even if an elliptic curve E/K has bad reduction , it is often useful to know wheth('r it 
attains good reduction over some extension of K . We give this property a name: 

Def :let E/K be an elliptic curve. E has potential good reduction over K if there is 
a finite extension K /K so that E has good reduction over K. 

Example : If K is finite extension of Qp, and if E/K has complex multipHcation, then 
E has potential good reduction over K'. 

Prop 5: (Semi-stable reduction theorem)Let E/K be an elHptic curve. 

(a) Let K'/K be an unramified extension. Then the reduction type of E over K (i.e good, 
multiplicative or additive)is the same as the reduction type of E over K' . 
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(b) Let K / K be aay finite extension. If E has either good or multiplicative reducticjn 

over K , then it has the same type of reduction over K' . 

(c) There exists a finite extension K' j K so that E has either good (or split) multiplicative 

reduction over K'. 

Now we have an important proposition to follow: 

Prop 6 :Let E/ K be an elliptic curve. Then E has potential good reduction if and 
only if its j— invariant is integral(i.e ii j{E) e Ok). 

From here on, we will change our perspective and consider the set of elliptic curves as 
a whole. We will take the collection of all (isomorphism classes of)elliptic curves and make 
it into an algebraic curve, a so called modular curve. Then by studying functions and 
differential forms on this modular curve, we will be able to make deductions about elliptic 
curves. Even though this is the way one goes about building the theory of elliptic curves 
in usual texts [LangS] [Huse] [Silvl] [Silv 2 ] we will here see only those results which are 
required to reach or to say understand our final result concerned with the construction of 
elliptic curves of given group order over a chosen finite field. 

Firstly recall that a lattice ACC defines an elliptic curve E/C via the complex analytic 
map: 

C ^ E^{C) : y- = 4x^ - 92- 9s 
z {p{z,A),p'{z,A)) 

Here the Weierstrass p— function relative to the lattice A: 

p{z, A) = z~^ + {{z - u})~~ + uj~^) 

a;€A 

Further if Ai and A2 are two lattices , then we have 

jp JTI 

'C'Ai = ^A2 

(C— isomorphism) iff Ai and A2 are homothetic . (Recall that Ai and Aj are homothetic 
if there is a number c e C* such that Ai = CA2). Thus the set of elliptic curves over C is 
intimately related to the set of lattices in C , which we denote by C: 

C = {lattices in C} 

We let C* act on C by multiplication 


cA = {coj : cu G A} 
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Then the above discussion may be summarized by saying that there is an injection 

£li£* {elliptic curves defined over C} 

'{C — isomorphism} 

According to the Uniformization Theorem this map is a bijection. We will need to describe 
the set £/C* more precisely. We will put a complex structure on £/€* and ultimately have 
that it is isomorphic to C. Let A € C. We can describe A by the basis, say A = Zwi +Za;o. 
Switching ivi and LO2 if necessary, we always assume that the pair (aji,a;2) gives a positiv(' 
orientation(that is the angle from 'jOi to (jJ2 is positive and between 0 and 180 . Since we 
only care about A upto homothety.we can normalize our basis by looking instead at [Silv 2 ] 
[Alf]: 

1 /£iJ 2 A = ZuJi j bJ 2 "t” 2 

Our choice of orientation implies that the imaginary part of uii/ujo satisfies Im{(jJi/ui2) > 
0 ,which suggests looking at the half plane H = {r e C : Im{r) > 0 }. We have just seen 
that the natmal map 


H C/C 

T — > Ar = Zt + Z 

is surjective. It is not, however injective. When do two r’s give the same lattice ?: 

Prop 7 ;(a)Let A C C be a lattice, and let wijCUo and be two oriented basis for 

A. Then 


= OJuJi + bu2 
u'o = CUi + du!2 


for some d) ^ SL2(^). 

(b)Let ri,T2 G H.Then A^ is homochetic to A^ iff there is a 



G 5X2(21) such that 


ari + h 
T 2 = 

cTi + a 

(c)Let A C C be a lattice. Then there is a r G H such that A is homothetic to Ar = Zr + Z 
And hence, we have that to each t G M we have associated a lattice A-^ = Zt + Zand 
an elliptic curve C/At-. 

The (modular) discriminant is the function 

A(t) = g,{Tf - 27j3(t)2 
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The modular j-invariant j{r) is the function 


^ ^ A(r) 

Thus j{z) is the j~ invariant of the elliptic curve 

= 4 x-^ - 52 (-r) - 5.3 (r) 

and i?A^(C) has a parametrization using the Weierstrass p-fanction: 

C/K E^^iO 

Z {p{z,Kr),p'{z,Kr)) 

Now let us finally look into the Uniformization Theorem for elliptic curves over C again. 
Let A,BgC satisfy 4A^ + 27B~ O.Then there is a unique lattice A C C such that 

g,(A) = eOGiiA) = -44 

53(A) = 140G6(A) = -AB 

The map 


C/A — ^ : y~ = x^ + Ax + B 
z (p(z,A),p'( 2.A)) 

We are now ready to relate the function /(r), defined as a mermophic function on 
the Riemann Surface(the modular curve)to the /—invariant defined w.r.t the Weierstrass 
equation as c|/A which classifies isomorphism classes of elliptic curves.We let 

{elliptic curves defined over C} 

{C — isomorphism} 

Thus the element of £CC£is a C— isomorphism class of elliptic curves. We also recall the 
notation 

£ = {lattices in C} 

Much of our preceding discussion is summarized in the following proposition: There 
is a one-to-one correspondence between the following four sets, given by the indicated 
maps: Here A^ = Zr + Z. {Sy} denotes the isomorphism class of the elhptic curves 

Ea : 5^ = 4x^ — 52 (A)x - 53(A) and {A} is the homothety class of the lattice A. 

Let us describe in a bit more detail the bijective map 

£LC-^C 
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given in the above proposition.Let {£'} € ^CCq be an isomorphism class of elliptic curves, 
and choose a Weierstrass equation 

E : + Ax + B 


for some curve E in this class. Now take a basis 71, 72 for the homology group 7 ii{E{€,), Z) 
and compute the periods [Silv2] 

f dx ^ f dx 

o?! = / — andujo = / — 

J71 y J72 y 

switching ui and uio if necessary, we may assume that 

te = — € H 
U2 

Then evaluate the holomorphic function j (r) at r = r^-Thus the map 

j : — > C, {.E^} — >■ ^(te) 

involves two transcendental(i.e non— algebraic operations, namely the computation of the 
periods and the evaluation of the function j{T). From this perspective, it seems 

unlikely that that rationality properties of jiT^) should have anything to do with ratio- 
nality properties of E. To describe the relationship that does exist, we make the following 
definitions. 

Def :Let {EJ} € SCCq, and let KCC.We say that if is a field of definition for {E} 
if there is an elliptic curve Eq in the isomorphism class {EJ} such that Eq is defined over 
K. We say that ET is a field of moduli for {£■} if for all automorphisms a G Aut{C/Q), 

E'^ € {E} 

iff a acts trivially on EC .Note that the field of moduli exists and is unique.Since by Galois 
Theory, an equivalent definition is that the field of moduli is the fixed field of the group 
[Silv2] [Langl]: 

{a G Aui(C/Q) ; E^ G {.F}} 

From the complex anal3dic viewpoint described above, it is not clear that the number 
j{{E}) should have any relationship to fields of definition and moduli for {E^}. Note that 
there are lots of bijections SCC — >■ C. We have the following proposition about the field of 
moduli for {E}. 

Prop 8: Let {E} G £CCq. 

{a.)Q(j{{E})) is the field of moduli for {E}. 
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(b)Q(i({-£^})) is the minimal field of definitions for {E}. 


Now, in the next section, let us introduce ourselves with one the most important and 
beautiful topics in not only mathematics but of entire science as a whole [BCIS] [Silv2] 
[Shaf2], which leads to our problem of construction of curves. 


2.3 Complex Multiplication 

Most elliptic curves over C have only the multiplication by m endomorphisms. An elliptic 
curve that possesses extra endomorphisms is said to have Complex Multiplication or CM 
for short. Such curves have many properties. For example, the endomorphism ring of a CM 
curve E is an order in a imaginary quadratic field iT, and the ^’—invariant and torsion 
points of E generate abelian extensions of iF.(This analogous to the way in which the 
torsion points of ^m(C) = C*" generate abelian extensions of Q). An important result in 
the cyclotomic theory[Shaf2][Chah][Lang2] is the Kroneckar- Weber theorem, which says 
that every abelian extension of Q is contained in a cyclotomic extension. We will see the 
corresponding results for a imaginary quadratic field K. The most important of which , we 
will see is how to construct an elHptic curve such that K{j{E)) is the Hilbert Class Field 
of K , and we will see how to use the torsion points of E to generate the maximal extension 
of K. (the main prerequisite to this section is some famil iarity with basic theorems of Class 
Field Theory. (For those without such an exposure, assuming the end results would suffice) 


Complex Multiplication of curves over C: 

Let F'/C be an elliptic curve with complex multiplication. We know from[BCIS][Silvl] 
that End{E)®Q is isomorphic to a quadratic imaginary field and that End{E) = O cC 
and IC = 0®Q, then we will say that E has complex multiplication by O or that E has 
CM by K. We also let 

Oj{ = ring of integer s[maximal order) of K 


Much of the theory becomes easier if one restricts attension to elliptic curves with C M 
by Ok, so we will usually take this course. 

We have seen in the previous sections that in order to understand particular elliptic 
curves , it is often useful to study the set of all elliptic curves with CAI. Similarly, in order 
to study a particular elliptic curve with CM, it turns out that one should look at the set 
of all elliptic curves with the same endomorphism ring. Of course, by elliptic curves we 
really mean isomorphism classes of elliptic curves, which lead us to define: 


£CC{0) 


{elliptic curves with End{E) = O} 
isomorphism over C 
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_ {lattices A in C} 
homothety 

If we start with a imaginary quadratic field K, how might we construct an elliptic curve 
with CM by Ok ?■ If ^ is a non zero ideal of Ok or more generally if it is a fractional 
ideal of then using the embedding Ac K cC see that v4 is a lattice in C. (This is 
clear from the definition of fractional ideals[Heck][Cohnl][Shaf2][Lang2][PoZe], which for 
quadratic imaginary fields implies that ^ is a Z— module of rank 2 which is not contained 
in R. Hence we form an elliptic curve ^(4 whose endomorphism ring is 

End{EA) = [aeC: aAcA} 

= {a E AT : ccA C Asince A C K{ 

= Ok since A is a fractional ideal. 

Thus each nonzero fractional ideal A oi K will give an elliptic curve with CM by Ok- On 
the other hand, since homothetic lattices give isomorphic elliptic curves, we see that A and 
cA give the same curve in £CC[Ok)- This suggests that we look at the group of fractional 
ideals modulo principal ideals which, the reader may recognize as one of the fundamental 
objects of study in algebraic number theory: 

CC{Ok) = ideal class group of Ok- 

{nonzero fractional ideals of K{ 

{nonzero principal ideals of K} 

If v4 is a fractional ideal of Ar,we denote Ai its ideal class in CC{OK)ANe have seen that 
there is a map 


CC{Ok) ^ £CC{Ok) 

Al ^ Ea 

More generally',if A is any lattice with E\ E £CC{Ok) a.nd A is any nonzero fractional 
ideal of K, we can form the product: 

^A = "h ■ ■ ■ ~h : O-t E Aj E A} 

Now,we have an elementary but crucial fact that this induces a simply transitive action 
of the ideal class group CC{Ok) on the set of elliptic curves £CC{Ok)- This proposition 
forms the basis for all of our subsequent results on CM: 

Prop 9; (a) Let A be a lattice with E^ E £CC{Ok), and A and B be nonzero fractional 
ideals of K. 
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(i) v4A is a lattice in C. 

(ii) The elliptic curve Ej^ satisfies End{Ejj,) = Ok 
{ m)EAA = Eba iff A' = B' in CC{Ok). 

Hence there is a well defined action of CC{Ok) on SCC{Ok) determined by 

A*E^ = Ea-ia 

(b)The action of CC{Ok) on £CC{Ok) described in (a) is simply transitive. In particular. 

4CC{Ok) = #£CC{Ok) 

Now, let us look into a proposition which says that every elliptic curve with CM is 
defined over an algebraic extension of Q. 


Prop 10:(a)Let E^/C be an elliptic curve, and let a :C— >C be any field automorphism 
of C.Then 


End{_Er) S End[E) 


(b) Let E'/C be an e. c with CM hy the ring of integers Ok of a imaginary quadratic field 
K. Then j{E) G Q^ (Later we will see that j{E) is an algebraic integer i. e G Z'. 

(c) 

see ~ curves E/Q' with End{E) = Ok} 

isomorphism over Q' 

Since till now we looked into the results in the theory of CM, which provide the crucial 
link between £CC{0) and lattices in C ,we now take recource to Class Field Theory, which 
provides us with the actual explicit fink. Here again, we will be concerned about the end 
results and not the intricacies involved in Class Field Theory. (That is we will just see 
only what Class Field Theory says about our problem)But the reader is strongly adviced 
to look into [Cohnl] [BCIS] for all the basic material. 


2.4 Class Field Theory : A Brief Review- 

Class Field Theory describes the abelian extensions of a number field K in terms of the 
arithmetic of K. The theory of CM provides an analytic realization of class field theory 
for imaginary quadratic fields, much as cyclotomic theory gives a realization of class field 
theory for Q [Kroneckar-Weber theorem). We will here look into the classical version 
using ideals and ideal class groups. We will restrict our attention to totally imaginary' 
quadratic fields, that is,fields with no real embeddings, since that is the only case we will 
use in the sequel. 

Let iiT be a totally imaginary quadratic number field and let L be a finite abefiau ex- 
tension of K, that is L/K is Galois with abelian Galois group. As usual, we write Ok and 


17 



Oi for the rings of integers (maximal orders) of K and L respectively. Let P be a prime 
of K which does not ramify in L, and let B be a prime of L lying over V [PoZo] [Lang2] 
[Heck] [Shaf2] Thus the picture is 

L K (finite abelian extension) 

V B (unramified •prime) 

OkI'P OijB (extension of finite fields) 

By restriction , we get a homomorphism from the decomposition group of B to the 
Galois group of the residue fields: 

{cr € Gal(L/K) : B°' = B} (Galois group of Ol/B overOK/V) 

The right hand Galois group is cyclic, generated by the Frobenious Endomorphism: 


Furthur.since V is unramified, f/i ere is a unique element a-p G. Gal(LjK) which maps 
to Frobenious Endomorphism. The notation reflects the fact that a-p is determined by 
the prime ideal V in K. For a general Galois extension LjK,V will only determine the 
conjugacy class of a-p , and making a new choice for B will change ap by conjugation. 
But in our situation ap will not change,since we have assumed that L/K is abelian. Thus 
ap e Gal(L/K) is uniquely determined by the condition 

ap(x) = B)'ix G L 

After the following theorem, we reach the most important theorem needed by us to develop 
a procedure to design an elliptic curve of given group order over large finite fields. 

Theorem :Let K/Q be an imaginary quadratic field with ring of integers Ok, and let 
FJ/C be an elliptic cvurve with End(E) = O/^.Then K(j(E)) is the Hilbert Class Field Ti 
of K. (For the definition of Hilbert Class Field, please see [BCIS] [Cohnl] [Shafl] [ShaS] 
[Heck]). 


Remark :Note that it is easy to have a curve whose endomorphism ring is Ok- 
example, we could take E to be the curve corresponding to the lattice ©A-.Then 

gilOKf 


For 


j(E)=j(OK)== 1728 


92 ( Ok )^ — 27^3(0^-)^ 


is given in terms of series go(OK) and gziOx) involving the elements of Ok- Alternatively, 
if we write Ok = Zr + Z, then 


i(F?)=j(e?A') = e--’"" + 


infinity 

Y, c(n)e-’""" 


n=0 
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where the c(n) gZ are the coefEcieats in the g— series expansion of y[Silv2] [AtMo]. So 
the above theorem says that the Hilbert Class Field of a quadratic imaginary field K is 
generated by the value of a certain holomorphic function j(r) evaluated at a generator for 
the ring of integers of K. 

We now have the final result , which says much more than the mere statement of the 
above theorem: 

Theorem :let E be an elliptic curve representing an isomorphism class in £CC{0[()- 
{a)K{j(E)) is the Hilbert Class Field 7i of K. 

(b) [Q(i(-E^));Q]=[-K'(i(£')) : K]=hK- where Hk = #CC{Ok) = is the class 

number of K. 

(c) Let El, ...,Eh be a complete set of represents for £CC{Ok)- Then j{Ei), ■ ■ ■,j{Eh) is 
a complete set of Gal{K' / K) conjugates for j{E). 

(d) For every prime ideal V of K, 


j{EY^ = jiV'^E) 

More generally, for every nonzero fractional ideal A of K, 

j(^EfA,niK) ^ j{A*E) 


Finally, we have: 

Theorem : j {E) is an algebraic number, i. e G Z. 

The reader is referred to [Cohnl] [BCIS] [Sha£2] [Shafl] for the material concerned with 
Class Fields and Ring Class Fields. 


2.5 Class Invariants 

Before looking into what class invariants are, let us look into the notion of complex mul- 
tiplication once again briefly. 

The notion of complex multiplication: Let E be an elliptic curve. As a complex Lie group, 
it is the quotient of the complex plane C by a lattice A, spanned by two periods cui.cui and 
since E is isomorphic to the curve defined by the periods zuji.zu ;2 for any nonzero z gC 
we may assume A to be spanned by 1 and r, where r has a positive imaginary part. 

An endomorphism of E may be identified with an endomorphism of its universal cover- 
ing C mapping A into itself; it is therefore the multipUcation by a complex number z such 
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that z^zr € A. The endomorphisms of E form a ring End{E), which always contains the 
integers Z, (the trival endomorphisms). The other ones (if any) are given by complex 
numbers and are called Complex Multiplications. If End{E) t^Z, the curve Ls said to 
admit complex multipUcations. 

El general, E has no CM. In fact, assume that z defines a non trival endomorphi.sm of 
E. Then 

z = a + br, ZT = c + dr, (a, b, c, d integers, 6^0), 

whence 

ar + = c + dr 


and r must belong to an imaginary quadratic field, say K: moreover z belongs to the ring of 
integers Ok of K since it is in K and defines an endomorphism of a Z-module of finite rank, 
namely A. Therefore, End{E) is an order of K, (subring of Ok containing z and which 
has rank 2 as a Z-module); one gets in this way all orders of all quadratic imaginary fields 
(if O is such an order, take for a curve E with lattice of periods C>; since 1 € calO. zO C O 
iS. z E O, whenceEnd{E) = O). 

Assume that End{E) — Ok, and that AC K. Then A is an ideal of K, and conversely 
any ideal of K gives rise to a ctirve E such that End{E) = Ok- Two such curves are 
homothetic, i.e. belong to the same ideal class. 

Let j be the modular function. For the curve with normal equation: 


= 4aj3 _ 


its value is 

j = 1728gl/A , (A = gl - 27 gl) 

Two elliptic curves are isomorphic over an algebraically closed field iff their modulfir 
invariants are equal. By the above, j defines a function on the ideal classes Ai,...,Ak of 
K] the numbers j{A,) are singular values of j, and are called the Class Invariants of K; 
they are pairwise different, and have proved to be of fundamental importance in the study 
of abelian extensions of K. Now let us see some important theorems (we have already seen 
them but here we are restating them in terms of the Class Invariants just defined): 

Theorem 1: The class invariants j (A,) are algebraic numbers i.e. they belong to 

Ok- 

Theorem 2: K[j{A,)) is independent of i, (1 < i < h), and is the maximal un- 
ramified abelin extension of K. 

(Unramified means that every prime ideal of K decomposes in a product of distinct prime 
ideals with exponent 1. ) 
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By Class Field Theory, it is known that the maximal unramified abelian extension 
of K (Hilbert’s absolute class field) exists and that its Galois group is canonically 
isomorphic to the group Ck of ideal classes; the next theorem describes how it operates 
on the 

Theorem 3: Let A G CC{Ok) and let G Gk be its image by the isomorphism 
of Class Field Theory. Then 


o-A(j{A)) = JiA ^ ■ A,) . 


2.6 Weber’s Class Invariants: 

Till now i.e. in all our of previous discussions, we saw results concerned with elliptic curves 
which admit CM and whose endomorphism ring End{E) is the whole of the ring of in- 
tegers O^ofR {i.e the maximal order of K). But as we will see, for our problem of 
construction of elliptic curves it is the ring class field Ho associated to an order O C Ok 
of K and not allways the class field associated to the maximal order Ok that is actually 
needed. For which, we will look into the way Weber has extended the concept (rather 
generalized) the concept of what Class Invariants are. Before that let us recall again, some 
basic definitions: 


The modular group and modular invariant j: 

The modular group is defined to be F = 5T2(Z)/{±1}. An element g = of F 

acts on H = {z G C,Im{z) > 0} by 


gz = 


az "b b 
cz -\-d 


It is known that F is generated by 5 


(? -0^) -- = (J ?) 


A modular form of weight 2k {k any integer) is a function mermorphic everywhere on 
H and at i nfini ty, satisfying: 


v(“ ^) €5X2(2), VzeH, 
m = (c.+^-/(^) 

If the form is holomorphic everywhere (which implies > 0 for nonconstant forms), we 
say that the form is regular. A form of weight 0 is called a modular function. 
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Let A(l, w) = Z+wZ be a lattice in C {u gH). Put 


<?2A:(A) = 

(m,7i)5i(0,0) 


1 

(mcj + ’ 


for > 1, then G2A:(A) is a regular modular form of weight 2k. We put 52(A) = 
60 (j 45 53(A) = 140^6 and A = — 27gl : these are regular modular forms of weight 

4,6 and 12, respectively. The modular invariant j is then j = I7285I/A. We have the 
proposition: 


Prop : The function j is a modular function (i.e. a modular form of weight 0), is 
holomorphic in H, and has a simple pole at infinity. The function j is a complex analytic 
isomorphism from H/T to C. 

Let K be an imaginary quadratic field. Ok its ring of integers (maximal order) of K. 
The discriminant of K is the discr imin ant of Ok a'Hd the discrminant of any order O C Ok 
in K is given by 

D[0] = D[Ok] ■ f\0) 

if 1,0; (a; G Ok) is a integral basis for O i.e. O = [l,oj] =Z-ro;Z and Ok = 
[l,a;/i-] =Z+a;jv:Z, then 

D[0] = D[Oj^ • f{iv) 

where the positive quantity f{u) is defined as the ring-index oi u because. f(uj) = f{0) = 
[Ok '■ O]. That is. Ok can be viewed as a Dedekind extension of O of index of extension 
[Ok '■ OJ = f{0) = f{co). It can be shown that if Ok = then any order O C Ok in 

K is given by (9 = [l,o;] = [l,/(o;) -Uk]- That is, O ='L+[Ok '■ 0]u>K’i^- 

Now, let u{z) denote a modular function(i.e a modular form of weight 0) and 0; = (jj{0) 
be the generator of O such that O = Z + o ; Z = Z +[ 07c : 0]u}k'^i where ujk = u(Ok)- Weber 
calls u{ui) a Class Invariant if u{ui) G Up = K{j{u)) the ring class field associated to 
the order O = [l.o;]. 

Since, we can construct Class Invariants which belong to the ring class field asso- 
ciated to an order O in iiC, our strategy to find the 5— invariant j{uj) and hence an elliptic 
curve having a given group order over a large finite field (since the 5— im-ariant determines 
a curve uniquely upto isomorphism) would be to construct suitable Class Invariants u{<jj) 
which are functions of j(a;) and whose minimal polynomials can be found indirectly (i.e. 
can be computed easily) solve the minimal polynomial and to get u = u(a;) and use the 
relation between u(cu) and j{u}) to get We will see the details of this in the next chap- 
ter, in the design section. For examples of Weber Class Invariants, the reader is refered to 
[AtMo] . 
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Chapter 3 


Optimal Normal Basis 


We know that by representing the elements of GF(2") (GF(p") in general) in terms of a 
normal basis, the arithmetic operations in that field can be simpfified (that is, made almost 
free) because, we can re-interpret them in terms of shifts (which amounts to squaring in 
GF(2”) and additions ( mod 2 or modp) of the coordinate vectors of the elements (w.r.t the 
chosen basis) [Men2] [LidN] . Now let us see if the eirithmetic operation of multiplication 
w.r.t a normal basis representation can be simplified or optihnsed in the sense of further 
reducing the computation, that is to say, let us see whether some kind of optimahty is 
feasible or not (defined w.r.t some criterion) because of the nature of the particular normal 
basis chosen [MOVW]. (for a given field, many exist). 


3.1 Optimality Criterion 

Let . . . ,/3^" be a normal basis(NB) of GF(2”) and elements A^B,C of GF(2“) 

in terms of NB be given as : 

1=1 1=1 

i=l 

C = 

»=i 

Let the cross product terms: 


k=\ 
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substitution yields the following bilinear form for Ck: 

n—1 n—l 
1=1 ;=1 

1=1 J =1 

where the subscripts of a and h are taken mod n. [MOVW] Thus we have 

co = AAB^- A = (\f) 

^ = (<20i 0,1, - • ffin-l) 

B = (6o,&i, 

C (cq, Cj, . . . , Cji— l) 

where is the transpose of B. The remaining coefficients of C can be found using the 
same matrix ,but with A and B cycUcally shifted. 

In terms of hardware implementation of the arithmetic operation of multiplication the 
circuit to compute cq also computes c* if the registers holding A and B are cyclically shifted 
k positions to the left. 

Clearly it is useful to define the quantity : 

Cn =I {{ij) ■ Kj 7 ^ 0 ] 0 < ij < n - 1} I 

(where | S | represents the cardinality of the set S) which will be referred to as the 
Complexity of multiplication w.r.t the normal basis: 

We have the following boimds for the quantity Cm • 


2n — l< Cm < 


In the design of an IC to implement the multiplication, each nonzero element of A 
corresponds to a cell connection and it is important to find bases of low complexity. (This 
is the criterion which we were refering to) Bases that achieve the minimum possible com- 
plexity for any given value of n are refered to as minimal normal bases. If the minimum 
complexity is , in fact the theoretical minimum of 2n - 1, then, the minimal NB is called 
an Optimal Normal Basis (uniqueness of which can be easily shown [MOVW]). 
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3.2 Construction of Optimal Normal Bases 

There are two types of optimal normal bases(ONBs) depending upon the way they are 
constructed. They are Type I and Type II optimal normal bases.lt can be shown that 
these are the only types of ONBs. That is, all ONBs can be constructed by either Type I 
or Type II (for recent generalizations see[Men2]).Now,let us see what Type I and Type II 
constructions are [Men2]: 

Type I; Suppose n + 1 is a prime and q is primitive in where q is a prime or prime 
power. Then any primitive n + 1 ’st root of unity generates an optimal normal 
basis(ONB)=^it is a optimal normal basis generator(ONBG). 

Type II: let 2n + 1 be a prime and assume that generated by 2 and -l.Then 

a = 7 + 7_i generates an optimal normal basis for GF(2") over GF(2), where 7 is a 
primitive (2n + l)st root of unity. 

For cryptographic pourposes, it is important to have either a primitive element or an 
element of high multiplicative order in GF(2"). Since Type 11 ONBGs have invariably 
large orders in the range of intrest(mostly pr imi tive), if they exist in GF(2”),we will mostly 
intrested in the explicit construction of Type II only.So let us look into the way we can 
construct explicitly Type II ONBGs. 

3.3 Explicit construction of Type II ONBGs 

Here by explicit construction, we mean expressing the ONBG in terms of the polynomial 
basis (standard or power basis) with which the field elements of GF(2") are expressed. 
(Here we mean a GF(2") in which we know that a ONBG exists) That is to say, we want 
to express the ONBG in terms of the polynomial basis generated by the root of the ir- 
reducible polynomial used to construct the field GF(2”). For which clearly we need the 
minimal polynomial of the Type II ONBG. 

Assuming that is the Type 11 ONBG for the field GF(2") (that is the field in which 
its existence has been verified by the above stated criteria for the construction of Type 
n ONBGs)it is easy to derive that the minimal polynomial of /3 — > 777.5(0;) is specified in 
terms of the recursion [Men2]: 

Let /o(a:) = 1; /^(o;) = x + 1 
ft{x) = xft-i(x) -+- /t-2(x) i > 2 

be the sequence of polynomials /,(x) i = 1,2 , ... over GF(2). Then if n is such that we 
have a ONBG gaurenteed, then /„(x) is the minimal polynomial m^(x) of the ONBG. 

We can clearly recognize that the sequence of polynomials /,(x) are nothing but Fib- 
bonaci polynomials [McEl]. This is a beautiful and quite useful coincidence in that, they 
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are very easy to generate. 

Now that we have seen how to generate the minimal poly of a ONBG, let us see how 
the basic arithmetic operation of multiplication of elements expressed in terms of a optimal 
normal basis can be done. Based on the previous discussion regarding multiplication , we 
see that we need the biliner form cq = AAB^ .Fov which we need the matrix of multipli- 
cation A (it clearly depends on the particular chosen normal basis it is different for 
different nomal bases). Before that, let us see how we can construct the matrix of trans- 
formation ‘T’ from the polynomial basis PB = {1,0:, q-, . . . generated by o -+ 

root of the irreducible polynomial m^ix) used to construct the field GF(2”) (of degree 
n) to optimal normal basis generated by the ONBG 3 whose minimal 

polynomial is mp{x). 


3.4 Matrix of Transformation ‘T’ 

As has been stated in the previous sections T 3 rpe II ONBGs usually are primitive or have 
large orders. Suppose if the ONBG /S is primitive, that is it has the multiplicative order 
2“ - l,we can also use it to construct the field GF(2") using the PB = {l./?,/9“, . . . 
generated by it. In which case we call it a primitive ONBG or PONBG for short and we 
can develop the matrix of transformation ‘T’ very easily which we will see in the following 
sequel. But at times, we may wish to construct the field using a different irreducible 
polynomial (probably primitive) which has few non zero coefficients so that arithmetic with 
respect to the PB generated by its root a (i.e modulo that irred poly) can be efficiently 
done or that the particular chosen field does’nt have a PONBG, then we need to look for 
a general method for constructing the matrix of transformation ‘T’. 

Let us start with the simpler case namely the ONBG is a PONBG and its minimal 
polynomial is used(=4- the PB generated by it) is used to constuct the field. Since the only 
way to construct an extension field of degree n is by taking residues modulo an irreducible 
polynomial of degree n,that is the elements of the extension field will be after construction 
in terms of the PB whose generator is some root of the chosen irreducible polynomial, we 
have the following procedure to build the matrix ‘T’: 

NB generated by the PONBG ^ : 


PB generated by the PONBG ^ : 


{l,/3, 

(5 in terms of PB = (0, 1, 0, ... , 0) 
j3 in terms of NB = (1, 0, 0, ... , 0) 
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We have thus 


= ( 0 , 0 , 1 , 0 , ..., 0 ) 

= ( 0 , 0 , 0 , 1 ,. .., 0 ) 

= ( 0 , 0 , 0 ,... , 0 , 1 ) 

in terms of PB and hence, if we view any element in GF(2”) in terms of PB, we can have PB 
representation of product, sum of any two elements of GF(2'^) (reduced modulo m^(x) 
minimal poly of /? as well as primitive chosen irreducible polynomial.) Therefore, we can 
find the transformation matrix easily by multiplication modulo mjiix). 


^ 1 


1 

o 

o 

o 


■ 1 ■ 


— 

0 0 1 ... 0 


/3 



• * 


. . 


=^NB = T-PB 
=^PB = T-^ • NB 

i.e we can have PB(NB) representation of any element in NB(PB) representation, once we 
know or to say have constructed the matrix T.Now let us recall, 

n-l n-l 
i =0 ;=0 

AifeF, 

fc =0 

Clearly, to get cq = AAB^ i.e to get matrix A, from the above equation we can see that 
we need find the NB representation of the product of the cross terms: 

0^' 0^^ V0<i,j<n — 1 (n^ elements) 

which will involve lot of computation using n— bit elements and m^(x). So to simplify our 
task and arrive at A = (A,j), let us define another matrix ’Q’ which is related to A in the 
following way 

Q = where 

It is easy to see that the number of nonzero entries in the matrix Q is equal to C.v, since 
each element of Q,q^J is equal to one element of A, Aj^, in the above shown way.Now, 
observe that 

0 ^ 0 ^ = 0 , 0 , = gcfA = 

it =0 ^=0 i =0 js =0 


n— 1 n— 1 n— 1 

<h+k^j+k 
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k=Q k=l 

Thus, we see that the number of nonzero entries (namely l’s)in row I of the matrix Q is 
equal to the ^number of I’s in the NB representation of basis element = f3~ multiplied 
hy /3o = ■ Therefore, if we compute the matrix Q which requires only N products 

modulo m^(x) (/3^ /3" 0 < j' < n — 1), we can have A = {Xij) by the relation 
(i.e between the indices). So finally, to get A = (A,;) we adopt the following efficient 
procedure: 

(1) Find mp{x) using the Fibbonaci recursive polynomials as explained in the previous 

section. 

(2) Find all the products 0<j<n — l{n products) modulo m^{x). 

(3) Express the PB representation of the above products in NB representation using the 

trasformation matrix T. 

(4) Order all the above NB representations of /3~^ 0 < j < n — 1 with increasing j to 

give the matrix Q = (gi_^). 

(5) Use the relation to get (A,_,) = A from Q = (g,^). 

(6) Use the so obtained A in cq = AAB^ to get the complete expansion of the bi- 

linear form corresponding to PONB representation of A = (ao,ai,...,a,i-i) and 

B (feg, &i, . . . , 

Supppose the field is constructed using a different polynomial (i.e when ONBG 

is not a PONBG or that you have chosen another short irreducible polynomial for that 
particular n which enable us to do arithmetic in PB efficiently). Then, you have to solve 
m^{x) in the field F 2 [a:]/ < ma{x) > using e.g Berlekamp’s Algorithm\^len2] and pick 
any root 

Jt=0 

Here by solving m^{x) in F 2 [a;]/ < ma{x) > we mean, finding the roots of m^(a;) in 
F 2 [a:]/ < ma{x) > since they (roots) are the elements of F 2 [a:]/ < ma{x) >, we will have 
them in PB generated by n-root of mQ(a:).Now,we can build the matrix of transformation 
T as follows (here qjt = {l3)ki defined above.): 


^ 1 


f 


■ 1 ■ 


— 



a 



* 
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Now, the procedure to get (A^^) = A is same as the above procedure except that we use 
^a(^) generated by a instead of PB generated by the PONBG itself. 

In the next chapter, we will see a novel procedure which is very simple and easy (one 
that involves almost no computation) to get the bilinear form of cq in terms of {a^} and 
{%}• 



Chapter 4 


Gao and Vanstone Basis 


In the previous chapter, we looked into how Type II ONB is constructed in a field GF(2“) 
which has a ONBG . We also saw the reasons as to why we study only Typell ONB. Now in 
this chapter , let us see how we can derive another basis from Typell ONB by rearranging 
it in a proper well-defined ( one to one )manner[GaV]. By doing so , we will see that we 
can arrive at a different method for exponentiation (and hence multiplication), using which 
we can derive the bilinear form for cq = AAB’^ very easily. 

4.1 A New Basis 

Let us recall the way Typell ONBs are constructed: 

Type II: Let 2n + 1 be a prime and assume that is generated by 2 and —1. Then 
a = 7 + 7“^ generates an optimal normal basis for GF { 2 ”') where 7 is a (2n-|-l) st root 
of unity. 

Therefore the optimal normal basis generated by a is {n, , a""”*}. We will arrange 

the elements of the basis in a different order. For an integer i , define 7t = 7’ 4- 7"* = 7 _,. 
Obviously 70 = 0 and 71 = a.As the multiplicative order of 7 is 2n + 1, it is easy to check 
that 7j = 7j iff i = mod (2n+ 1). So 71, 70, . . . , 7„ are the distinct nonzero 7i’s. We can 
claim that 

{a, . . . , } = {7i> 72, • • • , 7n}- 

The reason is that for each 0 < i < n. - 1, = 7- + 7“^’ = 72* belongs to the set of the 

right-hand side, while for each 1 < i < n, since is generated by 2 and -1, there is 

an integer k such that i = ±2* mod { 2 n + 1), and thus 7^ = a-'‘ belongs to the set of the 
left-hand side . 

Therefore, 71,72, ••• ,7n form a basis of GF(2’'') over GF(2).To facilitate multiplication 
of elements represented under this basis ,we define a new function from the set of integers 
to the set { 0 , 1 , ... , n}.For any integer i, define s{i) to be the unique integer such that 
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0 £ s{i) <n,i = s(i) mod (2n + 1) or i = —s{i) mod (2n + 1). 
Obviously ,5(0) = 0, 5(i) = s(~i) and 

As 7 i. 7 ; = 7 t-j, + 7 i+y for all i j, we have 


"Ti ’ Ti? 0^*(*+i) ”^^3(1—^)? 1 J ^ 5T- 

Next we show how to compute the product 7 i - A, where 1 < i < n and A is an arbitrary 
element in GF (2"’). Suppose that A = ai 7 i, where G GF(2). Then 


Note that 


■ A = ^ ani • 7A: = 53 «/fc(7s(/ti-.) + 75(-t-o)- 

A:=l t=l 


53 = Y^o.kik+i+ 53 <l/fe727l+l-(ifc+l) 

fc=l k=l k=n-kl-i 

n n 

~ ^ ^ ^k—iTik ^ ^ ^2n4'l— 

^= 1+1 A:=n-fl— t 

n n 

~ ^s{k-t)'yk “t“ ^s(A:-fi)TA; 5 

n in 

^k'l/i-k ^k'lfk-i 

k=l k=l k^-rl 

i n—t 

= 5]) a^-ib7Jfc + X! 

ib=l A:=l 

i n-i 

~ ^s(k~-t)'yk ^ V ^s(A:+i)7A: 7 

A:=l ir=l 

where herejand hereafter, we assume that oo = 0. We see that 

n 

7, -A = 53K('t-») + 

A:=l 

= + <^fc+»)7jt + 53 /W7i+ X/ "b '^2n+l-(fc+»))7A: 1 


ifc=l 


/fc=a+i 
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where c = n-i),d = max(*, n - i) = n - c and 


_ I ^-k + 0'2n-i-l-{kH) if i > n- i 
\ o-k-i + akJrz if i < n — i 

This shows that 'Yj • A can be computed in 0(n) bit operations. 

Now, to compute a" we can assume that 0 < e < 2„ - l,as = l.Write e = 

Yfk=l 6*2*, where Ck € {0, 1}. Then 

<»‘=nVr=n(%(2.))'*. 

fc=0 *=0 

This suggests that ol^ can be computed iteratively as follows: 

Algorithm; 

Input: An integer e with 0 < e < 2” — 1. 

Output: a® represented in the basis (71, 72, , 7n) 

Stepl: Set A ;= 1 = 22*=i7* and compute the binary representation: e = YflZl 
Step2: For k from 0 to n - 1, if e,t = 1 then set A := 7^,(2*) ■ A] 

Step3; Return A; 

End. 

The correctness of the algorithm is obvious. The major cost is incurred at Step 2 where 
v{e) products of the form 7 j ■ A are computed . Since we have shown that each such 
product can be computed in 0{n) bit operations, the total cost is 0{n • v{e)) bit opera- 
tions.Therefore , a® can be computed in 0{n ■ v{e)) bit operations. 

Now,multiplication in terms of the above Gao and Vanstone basis can be accom- 
plished in the following obvious way: 


C = A-B = '£aki'rk-B) 

*=i 

where (7^ • B) is given by the expression we derived before looking into exponentiation 
algorithm. Using the above described form of multiphcation let us see how we can derive 
the bilinear form for cq (in terms of the coordinates of A and B with respect to optimal 
normal basis {o, a", . . . , '} )in the next section. 
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4.2 Bilinear Form Derived 


Let us define the coordinate vectors of elements of the field GF( 2 ”) (again here we assume 
that the existence of an Type II ONBG in this field has been verified) with respect to 

ONB={a, q;^, . . . , 0?" } and the above introduced Gao and Vanstone basis={7i ,721 7 k} 

as follows: 

A=1 Ar=0 


That is 

A = (ui, a,, . . . , a„) {7^} basis 

A = (ao, uj, . . . , a„_i) {a^*} basis 


The main observation which we will use here is that Gao and Vanstone basis {7^} 
is obtained from Type II ONB {a"*} by permuting in a one-to-one well defined manner. 
The permutation is given by ( 2 ^ — > s( 2 *)) That is (recall the definition of s(i), from the 
previous section) 

2^ = ±i mod{2n -H 1) 1 < i < n. 
maps — 72* to 75(2*) = 7j Vi 


(since 7 is a ( 2 n + 1 ) ’st root of unity). This implies that, given an element A : 


A = (a'l, 4, . . . , a'„) { 7 A:} 

A = (UQi • • • 5 1) ^ } 

each a, is mapped to a unique a'j = ^ 2* ^(2*). 


Now let 


Jl— 1 


C = A- B = J^a((7i • B) 


t=l 


ifc=l 


k=0 


i=0 j—0 

C = (c^, C2, . . . , CyJ 


C 7 — (qd? - • • 7 1) 

Since 71 = aoo = 7s(2»);ci = Q). (Remember that we have assumed that b'o = 0 in the 
expansion of (7, • B) Therefore we have on comparing the coefficients of c} on both sides 
of the product equation given above (i.e with i = 1): 


Cl = Co 


V" ^1+1) "b ^2(^2-! "b ^2+1) + ‘ ■ "b <^n{P{.T-) "b ^{.+.)) 
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Cl — Co — ai(bQ + 62) + 02(^1 + ^3) ■! 

Now since we have the one-to-one correspondence <2^(2*) (similarlly for 6jt’s) given by 
computing the pairs (2*, s(2*)) we can write the above expression for Cj = co entirely in 
terms of a^’s and b^’s which is what we want, namely the bilinear form for cq. in terms 
of coordinates w.r.t ONB generated by a of A and B. Upon summarizing the method we 
have the following procedure: 

(1) Compute the correspondence pairs (2^, s(2^))0 < k <n 

(2) Substitute i = 1 in the expansion of (7, • B) to get the expression for = cq in terms 

of a^s and 

(3) De-associate using the computed correspondence pairs to get the bilinear form for cq. 

Observe that since fg = 0 we have 2(n — 1) forms of the type cLibji 7^ 0 and the term oobi so 
in total we have 2(n — 1) 4-1 = 2n — 1 forms.This is what is expected, since we are working 
with optimal normal bases which have complexity Cat = 2n — 1. Moreover this method 
gives directly the expression in the form of sum of (2n — l)forms of the type 0,(62 
which is efficiently implementable in software or hardware. We can easily verify that it is 
commutative C — A - B = B ■ A. 
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Chapter 5 


Design and Implementation 


In this chapter we will first see how to do certain computations efficiently. The computa- 
tions which we will be intrested mostly are those related to the efficient implementation 
of Elliptic Curve Cryptosystems. Here we will confine our attention only to curves over 
finite fields. In the later sections we will see the design aspects involved. 


5.1 Certain Computations 

In this section we will see how we can solve the equation of the elliptic curve over finite 
fields (of nonzero characteristic) given in Weierstrass affine (non— homogeneous form) form. 
Firstly let us consider curves over GF(2"). Since it is clear from our previous chapters, 
we will be working entirely with those extensions of GF(2) which have an ONBG in them 
and hence we assume that the elements of the field are expressed w.r.t the normal basis 
generated by the ONBG and that multiplication of field elements is done using the bilinear 
form for Cq. We will see in this section some more advantages of expressing the elements 
of the field in terms of a normal basis. 

Let us recall the Weierstrass equation for an elliptic curve using non— homogeneous 
(affine) coordinates x = X/Z, y = YIZ-. 

y~ -j- aixy + azy = + aox^ + a 4 X -t- ae 

An Elliptic curve E is the set of solutions to the above equation in K* .^(where K is 
the algebraic closm-e of the field K over which the curve is defined), together with the extra 
point at infinity O. If oi, ai, as, ug G AT, then E is said to be defined over K, and we de- 
note this by E/K. If E is defined over FT, then the set oi K — rational points of FI, denoted 
by E{K), is the set of points both of whose coordinates lie in K, together with the point O. 

Solving for the FT- rational points of Ei.e E[K) where K =GF(2”'); 
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The Weierstrass eqn can be written as follows 

+ {aix + az)y = {x^ + aox^ + a^x + a^) 

=^y'^ + B{x)y = C{x) 

where B{x) = {aix + 0,3) ,C{x) = [x‘^[x + 02 ) + {a^x + Og)] Therefore, solving for the 
iiT— rational points of E involves the solution of the above quadratic eqn for all x €GF(2'") = 
K. 

Let P be the NBG i.e NB={/3^,^'', . . . ^0^"' *}. Clearly . . . are the conjugates of 

p. Let a eGF(2'"). Then 

m—1 

a = a^P^‘ where G F2 

1=0 

Now, we have the Trace function Tr{-) given by: 

Tt I ^2^ — ^ IF'2 

m— 1 

Tr{a) = ^ aF for any a G F2 
1=0 

Since Trace is a surjective homomorphism and that ker{Tr) 0 F2™ (i.e is a strict 
subset of GF(2'”)), we have that half of the elements (2'”“^) will have Trace= 1 and half 
with Trace= 0. (since | her \ ■ \ image |=| G | for any group G and that in our case, 

I image |= 2). We also have the following obvious properties of Trace: 

Tr(aa + bP) = aTr{a) + hTr{P)'ia, 6 G Fo and oc,p£ F2« 

Tr{a~) = Tr{a) i.e of conjugates of a 

Therefore we have: 

m— 1 m— 1 

Tr[a) = a, Tr(f) = X] a, rr(/ 3 ) 

i=0 1=0 

m—1 

rr(a) = (X: aPTr{P) for some a G F2= 

»=o 

Clearly from the above equation the Trace of a normal basis generator has to be 1, or else 
it would imply that the Trace of every element is 0. Hence we conclude that: 

Tr{p) — 1 if P is a normal basis genertator 


And hence 

Trip) = iP + P^'+P^' + --+P^') = 1 
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the element 1 = (1, 1, 1, . . . , 1, 1) 

i.e vector of all I’s w.r.t a NB.We thus have that the Trace of any element in terms of 
a NB representation is simply given by the sum of its coordinates. Now let us turn 
to the problem of solving the quadratic 

+ By = C 

(Here B and C mean B[x) and C{x) i.e the x dependency is understood from the previous 
section) We will study the following different cases: 

CASE l:When 5 = 0 , C 7^ 0 : 


2/2 = (7 = 7 (say) 

for which we clearly have the unique solution: 

on— 1 

y = T 

which involves 1 left shift (=^ n — 1 right shifts). 


CASE 2 :B = 1,(7 7 ^ 0 ) 

which has solutions iff Tr{-y) 
NB.Let 


Therefore 


=^y‘^-hy = C = y 

0 . Now let 7 = (70,71, 7m-i) in terms of the chosen 

y = {yo,yu“-,ym-i) 

^ y^ = (ym-i, yo, • • - , ym-2) 


y +y = 7 


yo + ym-i = 7o, 
yo + yi = 7i, 
yi + y2 = 72, 


and so on, by comparing the coordinate vectors on both sides. Clearly, fixing yo = 0 gives 
one solution and yo = 1 gives the other solution of the quadratic uniquely, since all other 
yfs can be solved for. 
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CASE 3:5 0, C ^ 0: 


^ + By = C 

Set z — B y 7 = C{B then the above equation reduces to CASE 2: 

+ z = 7 

which has solutions iff Tr(7) = Tr(C(B~^)‘^) = 0 and the solutions of the original equation 
are given by 

2/1 ~ Bzi 7/2 — B{zi + 1) = Bz2 

Now let us see how we can conapute the inverse of an element efficiently. The most 
efficient technique, from the point of view of minimizing the number of multiplications, 
to compute an inverse of an element of GF(2’”) was proposed by Itoh. Teechai, and Tsu- 
jii[Menl]. Observe that if a € Fa-n, a 7^ 0, then 

a = a ^ = (a ) 


If m is odd, then since 


2^-1 _ ^ _ ^ 2 (" i - i )/2 _ 2) + 1 ) 


we have 


a 




Hence it takes only one multiplication to evaluate ^.j^g quantity 

has been computed (we are ignoring the cost of squaring). If m is even, then we have 




and consequently it takes two multiplications to evaluate or” ^ once been 

computed.The procedure is then repeated recmsively. 


Now let us consider solving a curve (quadratic in y)defined over Fp. Curves over 
such fields can be reduced to the Weierstrass short normal form: 

y^ = + ax + b 

Therefore a curve can is described by the coefficients (a, 6). For a given x, solving the curve 
means solving the quadratic y^ = x^ + ax + b = c over Fp. So ler us how to compute 
square roots modulo p: We know that the quadratic congruence x^ = amodp has solu- 
tions iff the Legenedre Character (or symbol) [Ono] [Chah] [IrRo] (This is analogous to the 
Trace function in the GF(2’") case) Ap(a) = a^-'^'^f-mod p = 1 modp [Ono][IrRo]. Using 
quadratic reciprocity (or using = modp), one can quickly determine whether or not 
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an. integer a is a quadratic residue modulo p. However, if it is a residue, that does not tell 
us how to find a solution to the congruence = a mod p — it tells us only that a solution 
exists. Let us see an (efficient) algorithm for finding a square root of a residue a once we 
know any nonresidue n. 

Let p be an odd prime, and suppose that we somehow know a quadratic nonresidue 
n. Let a be an integer such that Xp{x) = 1. We want to find an integer x such that 
x~ = mod p. Here is how we proceed. First write p — 1 in the form 2“ • s, where s is odd. 
Then compute n® modulo p, and call that h. Next compute a("+b/2 modulo p, and call 
that r . Our first claim is that r comes reasonably close to being a square root of a. More 
precisely, if we take the ratio that r" to a, we claim that we get a 2“ — 1 th root of unity 
modulo p. Namely, we compute(for brevity, we shall use the equality to mean congruence 
modulo p, and we use to mean the inverse of a modulo p): 

= Xp{x) = 1 . 

We must then modify r by a suitable 2“ th root of unity to get an x such that x~/a is 1. 
To do this, we claim that 6 is a primitive 2“ th root of unity, which means that all 2° th 
roots of unity are powers of b. To see this, first we note that 6 is a 2“ th root of 1, because 
6“'” = n~ ® = 1. If 6 were’nt primitive, there would be a lower power (a divisor of 

2") of b that gives 1. But then b would be an even power of a primitive 2“ th root of unity, 
and so would be a square in F*. This is impossible, because Xp{b) = [Ap(n)]® = — 1 (since 
s is odd and n is a nonresidue). Thus, 6 is a primitive 2° th root of unity. So it remains 
to find a suitable power b^ 0 < j < 2“,such that x = b’r gives the desired square root of 

a. To do that, we write j in binary as j = jo + 2ji + 4^0 H + 2 "~fyo_ 2 ,and show how 

one successively determines whether joiji , ... is 0 or 1. (Note that, we may suppose that 
j < 2"“\ since 6'“” = —1, and so j can be modified by 2““^ to give another j for which IPr 
is the other squareroot of a.) Here is the inductive procedure for determining the binary 
digits of j: 

(1) . Raise {r~/a) to the 2"“^ th power. We proved that the square of this is 1. Hence, you 

get either ±l.If you get 1, take jo = 0; if you get —1, take, jo = 1- Notice that jo has 
been chosen so that is a 2°““ th root of unity. 

(2) . Suppose you’ve found jo, ■ ■ ■ ,jk-i s^ich that a is a th root 

of unity, and you to want jk- Raise this number to half the power that gives 1, and 
choose jk according to whether you get +1 or —1; 

i f ((l^+ 2 A+-+ 2 *-b*-i^) 2 /^) 2 <‘-*-^ = 1 or - 1 
then take jk = 0 or 1 respectively. 
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We easily check that with this choice of jk the "corrected" value comes closer to 
being a square root of a, i.e., we find that is a 2““*'" th root of 

unity. 

When we get to A; = a — 2 and find ja- 2 ^ we then have 

(j^o+2a+ ■•+2“-’i«-2r)7a = 1, 


i.e Vr is a square root of a, as desired. 


Remarks. 1. The easiest case of this algorithm occurs when p is a prime which is 
= 3 mod 4. Then a = l,s = (p - l)/2, so (s + l)/2 = (p + l)/4. and we see that 
X = r = is already the desired square root. 

2. We now discuss the time estimate for this algorithm. We suppose that we start already 
knowing the information that n is a nonresidue. The steps in finding s. b and r = 
(working modulo p, of course) take at most 0{log^p) bit operations. Then in finding 
j the most time-consuming part of the A;— th induction step is raising a number to the 
2 a-k -2 thpower, and this means a — k — 2 squarings mod p of integers less than p. Since 
Q! — A: — 2 < a:, we have the estimate 0{alog~p) for each step. Thus, since there area — 1 
steps, the final estimate is 0{log^p + orlog-p) — 0{log~p{log p -f- a^)). At worst (if almost 
all of p - 1 is a power of 2), this is O(Zop^p), since a < logop = 0{log p). Thus, given a 
nonresidue modulo p, we can extract square roots mod p in polynomial time (bounded by 
the fourth power of the number of bits in p). 

3. Stictly speaking, it is not known (unless one assumes the validity of the so called 

"Riemann Hypothesis") whether there is an algorithm for finding a nonresidue modulo 
p in polynomial time. However, given any e > 0 there is a polynomial time algorithm 
that finds a nonresidue with a probability greater than 1 - e. Namely, a randomly chosen 
number n, 0 < n < p, has a 50% chance of being a nonresidue, and this can be checked in 
polynomial time. If we do this for than log 2 {l/e) different randomly chosen n, then with 
a probability > 1 - e at one of them will be a nonresidue. . ^ ^ , 

We have till now looked into how we can solve a quadratic over finite fields of ch^ec er- 
istic 2 or p. Now let us see where we will be using them in the context of Elliptic 
Curve Cryptosystems(ECC) [Meal]. 

Irrespective of the scheme we use to implement ECC (e.g El Gamal, Omura-Massey 
fKobll) we have to implement one important common (to all) essential aspect, namely 
message embedding. That is, we will have to first embedd the message onto some point 
on the (chosen) elliptic curve before going to the actual scheme. So let us see how we 
can embed a message onto a point on the elliptic curve. Here is one 

method to imbed plaintexts as points on an e hptic curve E jJ*”' 

is assumed to be large (and odd). Let k ge a large enough integer so that we ^e 
Liled with a failure probability of 1 out of 2‘ when we attempt to imbed a plamtext 
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message units m, in practice A; — 30 or at worst A: = 50 should siifHce. We suppose that 
our message units m are integers 0 < m < M. We also suppose that our finite field is 
chosen so that q > Mk. We write the integers from 1 to Mk in the form mk + j, where 
1 i 1 ~ io — 1 correspondence between such integers and a set of 

elements GF(g). For example, we write such an integer as an r— digit integer to the base 
p, and take the r digits, considered as elements of Z/pZ, as the coefficients of a polynomial 
of degree r - 1 corresponding to an element of F^. That is, the integer a,_ 2 , . . . , ao)p 
corresponds to the polynomial which, considered modulo some degree— r irre- 

ducible polynomial over Fp, gives an element of F,. We can apply the above method even 
to curves over GF(2’^). 

Thus, given m, for each j = 1, 2, . . . , A: we obtain an element x of F, corresponding to 
mk + j. For such an x, we compute the right side of the equation 

y' = f{x) = x^ + ax + b 

and try to find a square root of f{x) using the method explained above. (Altough the algo- 
rithm was given for the prime field Fp, it carries over to any finite field Fg. In order to use it 
we must have a nonsquare g in the field, which can easily be found by a probabilistic algo- 
rithm.) If we find a y such that y- = f{x), we take Pm. = {x. y). If it turns out that f{x) is 
nonsquare, then we increment x by 1 and try again. Provided we find an x for which f {x) is 
a square before j gets bigger than A:, we can recover m from the point (x. y) by the formula 
m = [(x — 1)/A:J, where x is the integer corresponding to x under 1-to-l correspondence 
between integers and elements of F,. Since /(x) is a square for approximacely 50% of all x, 
there is only about a 2~’‘ probability that this method will fail to produce a point Pm whose 
X— coordinate corresponds to an integer x between mk + 1 and m,A:-|-A:.(More precisely, the 
probability that /(x) is a square is essentially equal to N/2q\ but Nf2q is \-ery close to 1/2.) 


5.2 Construction of Elliptic Curves 

Let us recall certain basic properties of quadratic forms and fields that are necessary for 
the following sections. We will first see quadratic forms, that are easy ro compute with, 
and then quadratic fields (imaginary) that are well suited for explaining the theory. These 
are two sides of the same object. 

Quadratic Forms: 

The following results are well known and can be found in [Rose] [Jones] [Chah][Cohnl]. 
Let 6 = -D he & fundamental discriminant, i.e., D is a positive integer which is not divisible 
by any square of an odd prime and which satisfies D = 3 mod A or D = 4.8 mod 16. 
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A quadratic form of disriminant — Z) is a 3-tuple of integers (a, 6, c) such that lr--Aac = 
6 ^ —D, There is a correspondence between the set of quadratic forms and the set of 2x2 
matrices with half integer coefficients. With Q = (a. 6, c), we associate the 2x2 matrix 

Two forms Q and Q of the same discriminant are said to be equivalent (or Q ~ Q') if 
there exists N in SL^i^'L) (i.e., a 2 x 2 integer matrix with determinant 1) such that 

M{Q') = N-^M{Q)N 

This clearly defines an equvalence relation on the quadratic forms. It can be shown that 
Prop :Each eqmvalence class contains exactly one form (a, b, c) with a. b, c relatively prime 
and satisfying \ b \< a < c and (|6|=a, ora = c^b>0). Such a form is called 
reduced. 

There is a algorithm to compute a reduced form to a given equivalent form:refer[AtMo]. 
The set of primitive reduced quadratic forms of discriminant <5 = —D, denoted by 
C{—D) = C(S), is finite (for | b |< \J~dJz if (a, l>,c) is reduced). Moreover, it is possible 
to define an operation on classes that gives to C{6) the structure of an Abehan group. 
This operation is called the composition of classes and is ordinarily written multiplica- 
tively [Cohn2]. For the actual computation, see [AtMo]. The order of C{~D) is denoted 
by h{—D) = h{6). The neutral element Fd is called the principal form. It is equal to 
{1,0, D/ A) or (1, 1, (D 4- 1)/4) according as T) = 0 or 3 (mod 4). 


Quadratic fields: 

Consider now K =Q(>/— T*). The extension iT/Q is Abelian of degree 2, of Galois group 
{1, *}, where * denotes complex conjugation. The ring of integers of iF is Or =Z[a;], where 


CO = 


sJ—dJa if I? = 0 mod 4 
1 . +^^ otherwise. 


The conjugate of an element a = x + yco is a' = n* = a: + 2/co*. The Trace(resp. norm) of 
a is Tr{a) = a + a*(resp. Nk{oc) = Q:(a:*)). If a is an element of K, its associates are 
the va, where v is any unit of K (that is , iV/c(a) = 1). The number of units is denoted 
by w{-D) and is equal to 6, 4, or 2 according to D equal to 3, 4, or > 4. The group of 
units is denoted by O^. 

The decomposition of the ideal (p) in K is given by the following theorem: 


Prop :If {-D/p) — +1, the ideal (p) spUts as the product of two distinct ideals in K. 
If {-D/p) = 0, p ramifies, and if {-D/p) = -1, it is inert. 
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We have an useful result: 


^ Prop .The equation p — has a solution in Ok iff splits as the product of two 

principal ideals in K. This is equivalent to saying that p is represented by the principal 
form of discriminant -D. In other words: 4p = A^ + DB- with A and B in Z. 

If p is repr esen table by the principal form of discriminant —D, we shall say that p is a 
norm in Q(v— !D) or simply p is a norm when the context is clear. Conversely, we shall 
say that —D is good for p if p is a norm. Thus, in general, {—D/p) = 1, that p splits in 
Q(\/— D), even that p is representable by a form of the principal genus, are all necessary 
conditions for p to be a norm. 

Ideal Classes and Quadratic Forms: 

The class group of an order O in. K (i.e. the group of invertible fractional O ideals), 
its class number and discriminant will be denoted by CC{0),h{0) and <5(0), respectively. 
In the special case in which O = Ok is the maximal order of K we shall use the abbre- 
viating notations Ck = CC{OK),hK = h{OK) and 6k = 6{Ok). Ideal classes of O will be 
represented by 5Z'2(^)-a<iaivalence classes [Q] of (in our context positive definite binary) 
quadratic forms Q = {a. b, c) of discriminant 6{0) = b~ — 4ac. To each quadratic form we 
associate the number tq = {-b + \/S/2a) which is the unique root of Q{t, 1) = ar^ + br + c 
lying in the upper half plane BE. We have the following connection between ideal classes 
and quadratic forms [Heck] [Cohnl] [Cohn2]: 

Theorem :Let O be the order of discriminant 6 in the imaginary quadratic field 

K =Q{VS). 

(1) . If Q = {a,b,c) : (x, y) ax~ -f bxy + cy- with a,b.c €Z is a quadratic form of 

discriminant 5, then [1, tq] is an invertible fractional (!?— ideal. 

(2) . The map sending Q to [1, tq] induces an isomorphism between the form class group 

C{6) of all quadratic forms of discriminant 6 and the ideal class group CjC.{0). 

Complex Multiplication for lattices: 

Let A = A(l.u;) = A^ be a lattice in C. Put iV/(A) = {a eC, oA C A}. It is clear that 
Zc M{A). When M{A) is greater than Z, we say that A has or admits Complex Multi- 
plication. It can be shown that if A has CM, then ui belongs to a complex quadratic.field 
K =Q,{'/6). Then A/(A) is an order of O in K, that is a ring which is a free submodule of 
rank 2 over Z of Ojc, the ring of integers of K [Shaf2] [Langl] jLanglj. 

Class Field Theory of Imaginary Quadratic Fields: 

Class Field Theory is one the most remarkable achievements of mathematics. One of its 
motivating problem was the construction of the maximal unramified Abelian extensions of 
an imaginary quadratic field. In the present context we need only small part of the theory. 
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Let -D - She fundamental dicriminant and K =Q(\/ 6 ). The HilbeH Class Field 
of K is the maximal unramified Abelian extension of K and is denoted by Hk- Now we 
have: 


Theorem l.The field can be obtained by adjoining to K any value yV = 
where is the complex number associated with Qr i.e. = uj{Qr) = (- 6 . + \/S) / 2 a^ 
with Qr = {or, br,Cr) iu C(S). The minimal polynomial of the j/s is denoted by Ws\j][x). 
It follows that Hk is precisely the splitting field of W6\j]{x). The Galois group Gh of 
~ / K is isomorphic to C(5), the corresponding element an of Gu acts on 

3{Q') by 

^o(i(Q0) = 3{Q~^-Q')- 

We also require the following: 


Theorem 2 : A rational prime p is a norm in K iff (p) splits completely in Hk- This 
is equivalent to saying that Ws\j]{x) (mod p) has only simple roots and they are all in Fp 
Moreover, we have that 

4p = + DB^ 

has a solution in rational integers (A^B) iff W^[y](a;) splits completely modulo p. This last 
statement follows firom the previous proposition about representation of 4 p. 

Actually in the above, Hk, the Hilbert class field is the maximal unrami fied AbeHan 
extension of K w.r.t the maximal order Ok- As we have shown, we can associate an iso- 
morphism between the form class group C{0) of all quadratic forms of discriminant 6 and 
the ideal class group CC{0). That is to say, we can associate a Ring Class Field Ho to 
an order O in K. So the theorem 1 in the context of Class Field Theory stated above can 
be restated with what we spoke related to the class group CC[0) of an order O in K. 


Dedekind’s 77 — Function and Weber’s Functions /, /i, fo'- For r gH and a gQ, 
we put q = 6 "”’’“. Let = e"’"/". The Dedekind 77 — function is defined by 


uu 

riir) = n(i - g”) = g*'“ E (-i)”g»’“ 


71=1 


Note that 77 (t) converges for r gH. The classical Weber functions f.fi.fo are defined in 
terms of 77 as follows: 


/i = 


77(r) 
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77(t) 

The elliptic modular function j, is the cube root of 72 and the functions 73 and 72 are 
connected to the Weber functions and j via 


72 


r ^-16 

P 


73 


/f^ + 16 ^ fP + l6 

if) 


f! 


fi 


p 

7 I = 71 + 1728 


The action of the generators of SL2{1j) on these functions is given by 


}?(t + 1) 

= 

C24 Vp) 

/(r + 1) 

z= 

flp) 

/i('r + l) 

= 

fp) 

f2ir + 1) 


C24 hP) 

73 (t + 1) 

= 

-73 (r) 

72(r + 1) 

= 

CP 73 (r) 

jp + 1) 

= 

jP) 


= 

p—XT T]{t) 

/(-I/'t) 

= 

fp) 

fi{-UP 

= 

f2p) 

/2(-1 /t) 

= 

flp) 

73(-1/t) 

= 

-73 (r) 

72(-1A) 

== 

-72 W 

i(-iA) 

= 

jp) 


We also recall the useful relations 


/ • /i • /2 = V 2 
/i(2r) = f-fi{r) 


and 


f = fi+fl 

Now that we have seen the basic material which we will need, related to quadratic 
forms and quadratic fields and how elegantly Class Field Theory combines or links both of 
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these domains, let us recall certain basics regarding elliptic curves over a finite field, some 
of which we will adjust to our application. 

Theorem l.Let E be an elliptic cmve over a finite field. Then the endomorphism 
ring (always considered over an algebraic closure) End{E) of E is either an order in a 
imaginary quadratic field K or an order in a quaternion algebra. 

In the first case E is called ordinary or non- swper singular and in the second super- 
singular. Note that in any case, E has complex multiplication since End{E) is strictly 
larger than Z. The following theorem enables us to distinguish between ordinary and su- 
persingular curves. For a complete classification of supersingular curves see [Huse]. 

Theorem 2;(1). An elliptic curve over Fp, p > 3, is supersingular, iff its group has 
cardinahty p + 1. 

(2) .An elliptic curve over F 2 n is supersingular, iff its j -invariant is zero. 

Of course, in order to construct a curve with given order m = =^E{¥q), q = p”, we make 
use of the fact that the Riemann hypothesis for the C-fimction of E over F, is true. 

Theorem B:{Hasse’s Theorem). The order m = ^E{¥q) of an elliptic curve E over 
Fg satisfies the inequality: 

1 g-h 1 - m |< 2^/q 

Elliptic curves E over Fg can be obtained by reducing suitable elliptic curves over 
algebraic number fields. 

Theorem 4: Let K be an imaginary quadratic field and Ho be the ring class field 
associated to an order O in K. Denote by p a rational prime which completely splits in K 
and by 5 a prime of Ho above p with residue degree / = fB\p and such that [Ok 
Let £ be an elliptic curve over Ho which has complex multiplication by O and good, 
ordinary reduction at B. Then there is an element tt G OjpO satisfying the system of 
norm equations 

q = JVjr(7r) 

4E{¥) = iV>r(l-7r) 

for the B-reduced curve E of F, where q = p^. The endomorphism ring of £ is stable 
under the reduction map £ —^ E hy B i.e. End{£) = End{E) = O. Moreover, every 
elliptic curve over Fg with endomorphism ring O arises in this way. 

Let TT € End{E) be the Frobenious endomorphism acting on ^(Fg) acting under the 
projection B E by B and the endomorphism 1 - tt G End{£) maps to 1 - Wg G End[E), 
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where 1 is the identity endomorphism of both S and E. The crucial point with respect to 
the construction is that the ^oup of rational points of E is given as the kernal of 1 - tt,. 
Thus, we want to find an elliptic curve £ over Hq such that the reduced curve Eover F, 
has the preassigned order 

m = — tt,). 

First of all, we must find the imaginary quadratic field K of Theorem 4 when m and q are 
given. 

Theorem 5:The imaginary quadratic field K of Theorem 4 is given by 

K = Q(\/(g + 1 -m)2 -4g). 

Concerning the group structure, we have 

Theorem 6:{Hasse). Let E be an elliptic curve over the finite field F,. Then the 
structure of FJ as an Abelian group is given by 

F^(Fp) ^ Z/niZ X Z/noZ 

where rii and no are positive integers such that rii | n 2 and Ui \ gcd{i^E{Ip),p - 1). 

As a matter of fact, elliptic curves over prime fields tire almost always cyclic. The 
following Theorem 7, helps us in deciding whether or not for any given n > 1, there is an 
elliptic curve E over Fp with structure E{¥p) = (Z/nZ) x (Z/nZ). 

Theorem 7: Let E be an elHptic curve over Fp with n = n^ = no as in the preceding 
theorem. Then one of the statements 

1. End{E) is an order of Q(\/^) and p — 'n? + 1. 

2. End{E) is an order of Q(-\/^) and p — n-±n + l. 
is true. 

Having looked into all the basic material required, let us now look into the actual 
computational procedure for the consruction of elliptic curves with given group order 
over large finite fields [LayZ]. For which the reduced class equations which are useful 
in the effective construction of the Ring Class Fields associated to an order of a imaginary 
quadratic fields because it forms the main part of the procedure, (the terminology and the 
notations will be the same as above i.e have the same meaning) 

Reduced Class Equations: 

Let u[z) denote a modular function and w = w(0) = tqo be the generator of <D such that 
0 =Z+<x>Z=Z+[Ok C^jwjcZ, where ujc = w(Ojc). Then as we have seen Weber’s extension 
of the concept of Class Invariants, u{z) is a Class Invariant, if u{z) eHo = K{j{uj)). We 
then write the minim al polynomial of u{z) over Q. Note that is just the usual Class 
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Equation corresponding to the discriminant 6. We define 


73(Q) = 


r(Q) = 


C 48 fijQ) if 2 I a and 2 | c 

(-l)('-‘)/»CS'''“’’V.(Te) if 2 I a and 2 Kc 

(-l)“-‘>'®CS'"'“’')‘/ 2 (v-c) if 2 t/a and 2 I c 


In the following Table(Choice of u) we will see some functions (relation between j and u) 
'ij)u{x) introduced by Lay & Zimmer [LayZ] which they have derived and used to compute 
Ws[j]{x) efficiently. In particular, since u{u}) is algebraic over Z and not M and that we 
are computing first Wi[vi\{x) using real number approximations (which is of course our 
strategy) which will give a polynomial over E, and then using the relation between 

u and j to get 'Ws\j]{x) there is a need to define a required precision. In particular, we 
use the following precision(decimal) function in our computations (For the derivation of 
which, see [AtMo]): Hu and is defined as 


Ily = 5 + /i/4 + 


X\/^ 

In 10 


E 

[aM,ci€C{6) 


a 


-1 


TABLE{Choice of u) 


S — 1 ■— 7 ^ U — U — ^ llu ““ llj 


6^0 (mod 2) u — VS'yz, u* = = a ;"/6 + 1728, ![„ = {TLj + h logio | 5 l)/2 

6^0 (mod S) => u — 72 , u* = 7 *, 'tPui^) = = Hj/S 

5^0 (mod 3),5 = 1 (mod 8) u = (— “ 16) , 

n^ = i + nj/47 

Theorem 9 :Let 6 be the discriminant of an order O in Q(\/ 6 ) and choose 6, u, u* and 
tpu according to the Table 1. Then 

1. K* depends only on tte Si2(Z)-eqmvalence classes of Q, so that we may write a-([Q]) 
for u*{Q). 
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2. w’‘([(5o]) €Q(i([(3o]) where [Qo] is the class of the principal form On hence is the identity 

in CiS). 

3. u*{—[Q]) = u*{[Q]) where the tilde denotes complex conjugation and —[Q] stands for 

the inverse of [Q], i.e -[a, 6, c] = [a, c]. 

4. W6[u]{x) = U[Q]€C(S) - u*i[Q])) 

5. We[u]{xo) =0 Ws\j]{M^o)) = 0 

We now stimmarize the steps required for computing Ws[u\. 

1- Compute C(S) by means of the Theorem which we saw in the context of therelation 
between ideal classes and forms, above. 

2. Compute approximations u*{[Q]) for the h{0) values u*{[Q]). Apply Theorem 9 to 

speedup the computation. 

3. Form the product (Theorem 9.4) to obtain a polynomial Ws[v\{x) gR[x] corresponding 

to u*([g]). 

4. Ws[u] will be close to the desired Class equation Ws[u]{x) €Z[x]. provided the opera- 

tions have been carried out with a sufficiently high precision IT,^. 

5. Round Wi[v\ to obtain W 5 [u], i.e. round its coefficients. 

Since u* depends only on [Q] € C(d), we may represent the elements of C{6) by 
the unique re duced quadratic forms Q = (a, h, c) of discriminant 6. Thus, we have 
\ b \< a < sj—6/Z., and the Dedekind ? 7 — function converges at worst like a power se- 
ries in 

Since we have looked into how to construct the Class equation, let us now see how to 
construct an elliptic curve having a group order m over Fj,. For which we need to have the 
defining equation of an elliptic curve in terms of its y— invariant. Let us again look into 
the reduction, stated in Theorem 4. 

A Defining Equation; 

The finite field F, and the order of the elliptic curve E over F, are connected by the two > 
norm equations. By Class Field Theory, we know that the class invciriant u associated to 
the j— invariant of € by defined above, is a primitive element of the Ring Class Field 
Ho over K, that is 

Ho = KU{£)) = K[x]/Ws^o)[n]ix)K[x]. 
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Note that by the decomposition law for primes in an algebraic number field and by 
the algebraic properties of Hq and B C Hp {p splits completely in K and is relatively 
prime to the conductor of O) it is easy to see that the reduced class equation W'^[u] splits 
over Fp into irreducible factors of degree / = [Cohnl][Heck][Sha£2][Lang2][BCIS]. This 
is true because the B in Theorem 4 has residue field = I’’?, where q=d [BCIS] 

[Cohnl]. Observe also that, for each root a;o of ^^[u] mod Bdui^o) yields the image 
of the j— invariant under the reduction modulo B of an elliptic curve £ over Hp with 
endomorphism ring End{£) = O, and hence yeilds the j— invariant of an elliptic curve E 
over Fp with group order — ctTr) for a £ Therefore, the computation of a defining 
equation consists in the following steps: 

1. Compute/choose 6 and a prime p that splits completely in K =Q(V^). 

2. Choose the class invarint u of Table 1 that requires the lowest precision n„. 

3. Compute 

4. Find a root xq of Wi\u\ over F,. 

5. Put jo = iPuIxq]. 

6. Compute an elliptic curve over F, with y— invariant y'o having the desired group order 

m = #E(F,) = #A:er(l - tt). 

It remains to explain the last step. We need a relation between the y— invarint and the 
curve Instead of using the usual (long) Weierstrass equation for solving this problem, 
we prefer to employ other normal forms which are more appropriate with respect to our 
problem. 

Theorem 10: (1). Let p > 3 be a prime and y'o G Fp be given. Then the elliptic curve 
over F 

E : + Zkx + 2k with 

E : y~ —x^ + ax with 
S : = x^ + 6 with 

has y— invariant y'o. 

(2). Let 7 G F on be given with absolute trace Tvipj) = 1. Then a complete set of isomor- 
phism classes of ordinary (which is equivalent to y 0 in characteristic 2) elliptic curves 
over F2n is given by 

y" + xy = x^ -h aox' + y“^ with a 2 € {0,7}. 


. i/ 3. #0.1728 
1728 - yo 

o G F; if jo = 1728 

bew; if jo = 0 
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But unfotunately , by the reduction process of Theorem 4, every isomorphism class of 
elliptic curves over Ho splits into several isomorphism classes of elliptic curves over F,. 
That is, an isomorphism class of elliptic curves over F, is not uniquely determined by its 
invariant. The number of these isomorphism classes (for a fixed invariant) is given by 
the number^O^ of units in K. (This is clear because the solution of the norm equation is 
unique upto multiplication with an unit, since iV><:(x) = NK{aTr) = (a)iV/c(7r) because 

Nk{oc) = 1 for a G [Poll][Cohnl]. We shall need the following: 

Theorem ll:Let E and E' be two elliptic curves over F,. If F? is ordinary then E and 
E' are isomorphic iff j(E) = j(E') and #E{Fq) = #E'{Fg). 

Let the elHptic curve E over Fp,p > 3, be given by a short Weierstrass equation 


E • y“ — 4“ dx 4“ b. 


Define the c-twist jE of FJ by 

E : =: + ax + b with a = ac? and b = bc^ 

for any fixed non-square c G F*.In characteristic 2, we define the 7— twist of 

E : y^ + xy = x^ + a 2 X^ 4- og 


by 

E : y^ + xy = x^ + d 2 x'^ + dg with da = ^2 + 7 Tr{'y) = 1. 

Theorem 12: Let £? be an ordinary curve over F^ and E he a. twist. Then 

1. j{E) = j{E) 

2. ^E{¥,) + :^E{¥,)=2q + 2 
S.E{¥,2) ^ ^¥, 2 ) 

In the case of S{K) < —4, there are only two isomorphism classes. The defining equa- 
tion of a curve satisfying m = ^^'(F,) = #Fer(l — tt) is then given by E or its twist E, 
where j{E) — j{E) = jo- Un any case, the right choice between E and E is made by trial 
and error for p > 3. If p = 2, we have 

Theorem 13: Let E be an ordinary elliptic curve over Fon in the normal form. Then 

^^'(Fon) = 2Tr{a2) mod 4 

Now that we have seen the procedure to design or to say construct a curve of given 
group order over a large finite field, let us see if there are any computational problems with 
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the above procedure. The main problem sometimes would be that , for the given group 
order m = ^£'(Fp)and prime p, the chosen field K =Q(^(p + 1 — m)- — 4p) might have 
a very large discriminant (squarefree part of (p + 1 — m)^ — 4p) and/or a very large class 
number, which will reduce the speed of computation very severely. But at times when we 
design the (large)order m and the (large)prime p, we can mend our procedure so that we 
can work with a small class number. That is to say, if we are not bothered about a specific 
value of m and p, but we impose the condition that they be large (which can be stated 
for example by giving a bound like m = 2(f ,g' > 10®° ), we can start with a small class 
mnnber hx and proceed on to find an integral solution for the norm equation iV/<-(x) = m 
such that NxO- — or Nx{l + tt) is prime. This way, we are sure to work with a small 
class number and find the corresponding discriminant and hence design a sutable curve 
efficiently with less time of computation. Note that in cryptographic applications, this will 
be the case mostly where we will be asked for ordinary curves. 

From the above discussion, it is clear that in the other method with relaxed constraints, 
solving the norm equation forms the major part. So in the next section ler us see an effective 
way of solving the norm equation. 

5.3 Solving the Norm Equation 

We want to compute all representations of a positive integer m as a norm in the imagi- 
nary quadratic field K =Q{'/6) of discriminant S = 6k. Equivalently, we must find the 

generators of all principal ideals of Ok with norm m [Heck] [Shafl] [Shaf2] [Ono] [PoZe]. 

We write 

771 = 11 ?^’’ 

p\m 

and 

V~ with ff{P) = p if (5 I p) = 0 
pOk = \ VV with H\p) = p if (5 I p) = 1 

V with MifP) = p^ if (5 I p) = —1 

where (-Ip) denotes the Legendre S3mibol Aj,(-) for p 7^ 2 and the Kronekar symbol for 
p = 2 i.e. 

( —1 if 5 = 5 mod 8 

I 2) = < 0 if 5 = 0 mod 4 

1 if 5 = 1 mod 8 

If Cp is odd for one p with (^ | p) = —1, then there is no ideal of norm m in Ok- Otherwise, 
the ideals A of norm m axe obviously given by 

— n n n , wuh ^<kp<ep . 

^|plm,(i51x)=0 75|p|m,(i51p)=l V\p\m,{6\p)=-\ 
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In order to decide or not an ideal A is principal, we consider ^ as a lattice in C and loolc 
for a minimal (with respect to the norm N^) element tt of A - {0}. Since A is principal 
iff = M{A) = m and x is unique upto the known units of K, we find all solutions 

to m = NKi^r) with x € Oj(. To get an explicit representation of a prime ideal P, we 
use the decomposition law. The prime ideal V is given (up to conjugation) by 

■p _ / P^ic if {P\p) = -1 

\ pOji + [ujk — <^p)Ok if (5 I p) G {0, 1} , 

where Up gZ is any solution of Up = mod p. Note that Ok =Z+a;ji^Z. From this it is 
easy to derive a Z-basis for V. In particular, we have 

^ _ T + \/5 . , 

V = pZ H — with 

= S mod Ap if p (^ I p) = 1 
r = p5p 7 ^ 2, (<5 I p) = 0 
r = d p = 2, (5 1 p) = 1 
r = d/2 p = 2, (5 1 p) = 0 

Having seen how to solve the norm equation, let us look into how, elliptic curves over 
F 2 n useful for cryptographic pourposes can be constructed. Based on disrete logarithms 
and MOV attack, the elliptic curves (non-supersingular) which are suitable are those with 
the group order m = #£J(F 2 n) = c - q with q a prime and c < Cmax- The constant Cmax 
decides, in which larger extension (of Fan), one has to work the dicrecelog problem(DLP) 
in order to crack ElUptic DLP, based on MOV attack [Menl]. 

We choose n based on other features like exsistence of a ONB or a convenient irreducible 
polynomial e.t.c. We look for an imaginary quadratic field K of class number n such that 
2 splits completely in K, i.e. 6k = Imod 8, and solve 2" = Nfi:(x) for x € 0k/20k- For 
m = Nk{1 — tt) of the form m — c • q^ with a prime ( * will indicate the number of 
decimal digits of qf) and c < Cmax = 100 or so, we succeed. If we. took K to have a divisor 
of n. as class number, then m would not be of the desired form m = c- q^ because we then 
would have have a representation m = iVk(l and m could not have a large prime 

divisor g,. We only look for iF’s with 6k ^ Omod 3 which enables us to use the Yui-Zagier 
reduced Class equationW = Ws[f*]. The polynomial W is clearly irreducible over GF(2) 
and we can use it to generate Fon. A root of W mod 2 over Fon is then trivially computed 
and firom the last row of the Table 1, we get j{E) = That is 

Fon ^ F 2 /WF 2 M ^ F 2 (g), whereWig) = 0 

n-1 

a = G ¥2{q)^ G F 2 

1=0 
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Chapter 6 


Results and Conclusion 


In this chapter, we will see the results of implementation of ail computational procedures 
which we saw in the previous chapters along with the underlying theory. We will first list 
the results related to finite field arithmetic and later look into the actual the design of 
elliptic curves suitable for public-key cryptosystems. We also include the results related 
to the implementation of Elliptic Curve Cryptosystems. 


6.1 Normal Basis Arithmetic 

To get the bilinear form co = AAS^ required for implementing the arithmetic operation of 
multiplication w.r t the chosen ONB, a general program has been written. The program 
is based on what we have derived in the Chapters 3 & 4. This program will give cq in the 
expanded form, and hence, is suitable for direct implementation. That is, it gives cq in the 
form 

Co = dobi -}- <xi (f>( ) + b( )) + • ■ • 

The correctness of the derived formula has been checked by verifying 

C = A ■ B = B ■ A and A ■ 1 = 1 ■ A and A ■ A~^ = 1 

A program which will enable us to get the matrix of transformation from any basis to any 
other basis has also been written, the theory for which, we saw in the Chapter 4. 

A search for other irreducible polynomials using randomoized algorithms [Men2], in 
the fields having ONB has also been done. The results of the search for the extensions 
GF(2^'^®), GF(2^®^) and GF(2^’^^) are that we have the following irreducible polynomials: 

^239 + 3,36 ^ 1 
0^281 + ^ 1 
3,333 + 3.99 ^ 1 

These can be used to generate a polynomial basis. 
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6.2 Elliptic Curve Cryptosystems 

For the implirnentation of elliptic curve cryptosystems, the mimber-theorotic package, 
SIMATH ver 3.9 has been used. For certain other off-line computations the package 
PARI/GP has also been used. For all the underlying computations, the currently best 
known (computational) algorithms have been studied and used. We have written a fairly 
g('U('ral i^rogram in that, the choice of the raxrve can be made' at run-time fnxm a file. Now 
let us see the implementation details of ElGamal scheme for public key encryption. 

ElGamal scheme: This is another public key cryptosystems for transmitting messages 
rn Pm- As in the key exchange system[Kobl], we start with a fixed publicly known 
finite field F^, elliptic curve E defined over it, and base point P G E. (We do not need to 
know the number of points ^E{¥q).) Each user chooses a random integer n, which is kept 
secret, and publishes the point n ■ P. 

To send a message Pm to user B, user A chooses a random integer k and sends the pair 
of points {k ■ P, Pm +k{kB ■ P)) (where kg ■ P is user R’s public key). To read the message, 
user B multiplies the first point in the pair by his secret kji and substracts the result from 
the second point; 


PmPk{kB-P)-kB{k-P) = Pm 

Thus user A sends a diguised Pm along with a clue k ■ P which is enough to remove the 
mask k{kB ■ P) if one knows the secret integer ks- An evesdropper who can solve the 
discrete log problem on E (EDLP) can, of course, deternmine kB firom the publicly known 
information P and A;;j • P. 

So the main steps involved are as follows: 

1. Selecting a random point T’,A;^, fcg, and k. 

2. Mapping the message (see chapter 4 for details of the algoritluns used) to a point on 

the curve, i.e. rn Pm 

3. Computing k ■ P and -t- A; • (A:p ■ P). 

Wo used the ASCII characters as numbers from 000 to 255. Each message was chosen 
to be of 10 ASCII chai’acters, and hence we have to work with a curve defined over a field 
GF(p) whore p is a prime having more than 30 digits (since 10 ASCII characters, each a 
tlii'oe (lij'jl, iiiiiiiber betw('(Mi ()()() and 255, would give a, inaximuiu number 255255 ••■255 
having 3 x U) digits) An experimentally observed fact regarding message mapping rule 
which was sugg('stc'd by N.Koblitz [Kobl] was that it was very efficient in that, over a large 
finii.e field, on an average it recpiired only 3 to A trials to be succesfnl. The main time 
(onsimiing ste|)s aie the L('geudie symbol coinpul.ution, solulion of the cpiadratic, and of 
course' (oinpniing k liitu's a point. For the' e-e)miail,atie)n eif A: time's e)f a peant, we can 



use the addition-substaction chains method suggested by Staffelbach. For core arithmetic 
operations, it is found that the arithmetic package PARI and/or MIRACLE is/are well 
suited. 


6.3 Design of Elliptic Curves 

All the computational aspects and theory related to the design of curves have been dis- 
cussed in Chapter 4. For design also, we used the package SIMATH. After looking into 
the implementation details of some of the routines which are useful in the design of elliptic 
curves, it is suggested that for all the off-line computations (in fact the design of curves 
is invaribly off-line) we can use SIMATH. The various curves over as well as F 2 n which 
were designed using SIMATH are listed below as examples: 

Curves Over GF(p): 


Hc'ro wo give the p value, the discriminant 6/,- sfdected, and the corrc'sponding class num- 
ber /i/c- The curves are specified by the Weierstrass short normal form y'^ = + ax + b => 

EC{a, b) and their orders by m = ^E{¥p). 

in : pi = 10’° + 121, : pi = 10000000000000000000000000000000000000121. 

discriminant = —67 
class number = 1 

out m =10000000000000000000187300599782321059201: EC'(65610556376660448245 

43989193463688093337, 4374037091777363216362659462309125395558) 
out: m = 9999999999999999999812699400217678941043: i?C'(68685909243073279646 

86734696635115775535, 2924361375024414926768705033371681165977) 

-187 

class number = 2 

out: m =10000000000000000000176014087816420396971: ^0(22705551197360737921 

63330776700277340914, 6826570567784733511010165536483478846906) 
out: m = 9999999999999999999823985912183579603273: ^0(88232059745032797029 
48540359853664867516, 5882137316335519801965693573235776578344) 


-245 

class number = 2 

out: m =10000000000000000000067936536813851950100: EC(82648512469716035518 

9218106558154784865, 7217656749798106903459478737705436523324) 

/ 


56 



out: ni = 9999999999999999999932063463186148050144: ^C7(52827155356510854761 
0775 ] 92372093(555 126, 3957933440189367412929675 1541 92359482379) 

-176 

class number = 1 

out: m =10000000000000000000195354787501168797527: i;C'(74644215197907916720 

08581471508065579649, 8108965525590569803016002237585945609556) 
out: 7)1 = 9999099999999999999804645212498831202717: it-’6'(60482374768089053803 

33951762523191094690, 7365491651205936920222634508348794063167) 

-198 

class number = 2 

out: m =10000000000000000000200000000000000000100: E(7(82407835638077834226 

45034650855562465765, 7576162065425396929449750533659534831543) 
out: m = 9999999999999999999800000000000000000144. i?C(20222748767720277000 

29919696141406335312, 8014849917848018466686613130761004223622) 

-245 

class number = 2 

out: m =10000000000000000000067936536813851950100: ^;C'(82648512469716035518 

9218106558154784865, 7217656749798106903459478737705436523324) 
out: m = 9999999999999999999932063463186148050144: ^^(7(56895685546504554468 

54073931592574341908, 8188018837574061947637579163802510550681) 


in : p2 = 10^0 -h 139 

: p2 = 10000000000000000000000000000000000000139 


-67 

class number = 1 

out: 777. =10000000000000000000182570194746819267243: i?(7(81665139109552782011 

96923858678742913966, 2650211790443763828453108443141422182560) 
out: m = 9999999999999999999817429805253180733037: jSa(58216111497275174947 

46460664602969283007, 7214407433151678329830973776401979522051) 

-83 

class number = 3 

out: m =10000000000000000000027197244590236691852: £;a(59522296485940259804 

23024996509957389217, 3968153099062683986948683331006638259478) 
out: 7)1 = 9999999909999999999972802755409763308428: £?(7(42656742666030367166 

5276062221298372082, 1307063618170504052058387738875148749765) 
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-98 

class number = 1 

out: m =10000000000000000000199743231086515860662: i?C(84885148865814541270 

62607878740381452041, 4573613802917390931880245716350371150783) 
out: m = 9999999999999999999800256768913484139618: ^;C'(98979591836734693877 
55102040816326530746, 3265306122448979591836734693877551020451) 

-90 

class number = 2 

out: m =10000000000000000000033029707174324936026: £'C(56671206159735582523 

94396128239333350130, 4947391507890054814591022459265828517800) 
out: 771 = 9999999999999999999966970292825675064254; ^1C'(24097342138147314337 

88879468775680907857, 4939822809209820955859252979183787271951) 

-160 

class number = 2 

out: m =10000000000000000000033029707174324936026: i?C(77846035372907128563 

28077826897332872418, 136177953851978135374410537582067985777) 
out: m = 9999999999999999999966970292825675064254: ^C(24097342138147314337 

88879468775680907857, 4939822809209820955859252979183787271951) 

in : p3 = lO'^'^ + 21 

out: p3 = 10000000000000000000000000000000000000000000000000000021 
-59 

class number = 3 

out m =10000000000000000000000000005752581362994616312599997200: 150(16668 

84442791292001929670934659134923224673893785202925, 1111256295194194667953113 

956139423282 J 4 9782595856801950) 

out: ?)h = 99999999999999999999999999942474186370053836874()()002844: 750(34147 

70862012023731723971285923172937999171447593656565, 5245304290534685608873337 

045910334562282607627647773232) 


-87 

clfilss rnjnnb^i* — 0 

out: rn =10000000000000000000000000006295856944542504074692364748: i5C(32418 

91049906791566977724635525347838536221046022015108, 8827927366604527711318483 

090350231892357480697348010086) 

out: m = 9999999999999999999999999993704143055457495925307635296: BC(56850 
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84582630754578477775322744613371686624552160665670, 1685096405499587899571197 

822284146542642647777364120257) 

in : p4 = 10®° + 7 

out: pA = 1000000000000000000000000000000000000000000000000000000000007 


-63 

class number = 1 

out: m = 1000000000000000000000000000002000000000000000000000000000008: £1(7(594 
869185769103146433094390202797286130086280367384574107636, 90927035356674516717 
5352147093986471725289118905234193434703) 

out: m = 909999999999999999999999999998000000000000000000000000000008: EC{ 87301 
5873015873015873015873015873015873015873015873015873020, 91534391534391634391 
5343915343915343915343915343915343915349) 

-175 

class number = 1 

out: m = 1000000000000000000000000000002000000000000000000000000000008: £?<7(166 
975018920243079333967240375609451759559971685246269456577, 88222091303808918277 
8158531612022508473984519723241836038273) 

out: m = 999999999999999999999999999998000000000000000000000000000008: EC(87S0 
15873015873015873015873015873015873015873015873015873020, 9153439153439143439 
15343915343915343915343915343915343915349) 


Curves over Fyc 


We know, from the last section of the previous chapter, that after choosing the value 
of the we look for an imaginary quardatic field K of class number n such that 2 splits 
completely in K i.e. =mod 8 [Cohnl], and solve 2" = Nr^-iTr) for tt G OkI^Ok- 
For 711 . ” Nh{\ - tt) of the form 7)i. = c • q, with q, a priiiK' (* will indicate the number 
of decimal digits in y*) and c < Cmax = 100, we succeed. We look for K’s with 6 k ^ 0 
mod 3 which enables to use the Yui-Zagier reduced class equation W = Wsj^lf*]. If 
the root of the polynomial W mod 2 is a, then the j-invariant of the curve is given by 
7 p^{x) = {x^ - 16)/x21 That is j{E) = '0„(a) = mod 2 and hence from the defining 
equation of the curve, we have that 

E : y'^ + xy = x® -f a 2 x'^ + j~^ 7viih G {0,7} 

where 7 G ¥ 2 - is any element such that Tr{^) = 1. Here is a listing of some values of n 
for which we designed the curves. (The j -invariant is specified in terms of the minimal 
polynomial W mod 2 i. e as its any root.) 
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wc' are sp('ciryiug the polynomials as a scqueuco of (exponent, coefficient) corre- 
sponding to the monomials having nonzero coefficients (This is also called "Sparse represen- 
tation of polynomials"). For each example, we also explicitly give the values of , IT/, 

(the decimal precision required), the selected = #E(F 2 n)/g», the number of 

imaginary quadratic fields K' having class number= = n and bjc > 6/c which we 

denote as • 10®)], in that order. We have used a dictionary that gives us a 

6k for given Uk fo reduce the time of search for the suitable imaginary quadratic field K. 

For the field GF(2^®^): 

8k = -87887, hjc = 191, n/. = 81,c,„ax = 100,?, = ?58,c = #F;(F2n)/g, = 23- 
3, = 10, i/(-1.6 ■ 10®) = 184 

The Reduced Class equation Ws[f*] mcffi 2: 

( 191 1 190 1 186 1 185 1 184 1 181 1 180 1 178 1 176 1 175 1 173 1 172 1 170 1 168 1 
164 1 161 1 160 1 159 1 156 1 155 1 154 1 153 1 151 1 149 1 146 1 144 1 143 1 142 1 139 
1 136 1 134 1 133 1 132 1 130 1 127 1 125 1 124 1 121 1 120 1 11 9 1 116 1 115 1 110 1 
108 1 105 1 103 1 99 1 98 1 95 1 90 1 86 1 81 1 79 1 77 1 76 1 75 1 74 1 72 1 70 1 69 
1 67 1 66 1 65 1 64 1 62 1 61 1 57 1 56 1 54 1 53 1 51 1 49 1 4 8 1 45 1 43 1 42 1 41 1 
39 1 38 1 36 1 35 1 31 1 30 1 29 1 28 1 27 1 26 1 24 1 23 1 21 1 19 1 17 1 15 1 12 1 8 1 6 1 0 1 ) 


For the field GF(223-‘’): 

6k = -67559, /tA- = 293, H/. = 99,c„,„^ = 100, = qs7,c = #E{F2n)/q, = 2- 3- 

5, = 2, u{-lS • 10®) = 127 

The Reduced Class equation Ws[f*] mod 2: 

( 293 1 289 1 286 1 284 1 283 1 280 1 278 1 277 1 276 1 275 1 268 1 266 1 263 1 262 1 260 

1 257 1 255 1 253 1 251 1 250 1 246 1 244 1 242 1 241 1 239 1 237 1 234 1 233 1 232 1 231 

1 230 1 229 1 227 1 224 1 223 1 222 1 221 1 219 1 218 1 217 1 214 1 212 1 211 1 210 1 209 

1 208 1 206 1 205 1 202 1 200 1 197 1 195 1 193 1 192 1 190 1 189 1 188 1 187 1 186 1 185 

1 183 1 180 1 178 1 177 1 175 1 173 1 172 1 17 1 1 169 1 168 1 166 1 161 1 160 1 159 1 158 

1 156 1 154 1 1 53 1 152 1 151 1 150 1 147 1 146 1 145 1 144 1 142 1 139 1 138 1 137 1 135 

1 134 1 130 1 129 1 128 1 127 1 126 1 123 1 117 1 116 1 115 1 114 1 113 1 105 1 103 1 101 

1 100 1 99 1 95 1 94 1 93 1 92 1 90 1 89 1 88 1 86 1 85 1 83 1 81 1 8 0 1 78 1 77 1 76 1 75 
1 74 1 73 1 72 1 71 1 67 1 66 1 62 1 61 1 57 1 56 1 52 1 49 1 44 1 43 1 41 1 40 1 38 1 37 
1 36 1 35 1 34 1 33 1 32 1 31 1 30 1 29 1 27 1 26 1 25 1 24 1 21 1 20 1 10 1 9 1 8 1 3 1 2 1 0 1 ) 

For the field GF(23®®): 
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6k = - 1 16087, = 300, n^. 
22,2/(-1.6 • 10®) = 2216 


= 108, Crnax = 100, = C^go, C = E {W / q* = 2^, U,^{6k) = 


The Reduced Class equation Ws[f*] mod 2: 

( 300 1 298 1 297 1 293 1 292 1 291 1 289 1 286 1 284 1 283 1 281 1 279 1 27 7 1 276 1 273 1 
268 1 263 1 262 1 261 1 259 1 258 1 257 1 2 56 1 253 1 252 1 248 1 246 1 245 1 244 1 243 1 
239 1 237 1 236 1 234 1 231 1 230 1 227 1 226 1 225 1 223 1 222 1 218 1 217 1 213 1 212 1 208 
1 207 1 206 1 204 'l 201 1 199 1 197 1 195 1 190 1 189 1 187 1 186 1 182 1 179 1 178 1 177 1 
172 1 171 1 170 1 168 1 166 1 165 1 161 1 160 1 159 1 157 1 156 1 155 1 153 1 152 1 148 1 146 
1 145 1 144 1 141 1 140 1 137 1 136 1 135 1 134 1 133 1 130 1 128 1 124 1 123 1 122 1 12 0 1 
113 1 111 1 108 1 107 1 105 1 104 1 98 1 97 1 91 1 89 1 86 1 85 1 82 1 80 1 79 1 75 1 74 1 73 
1 71 1 69 1 67 1 66 1 64 1 63 1 60 1 59 1 57 1 51 1 50 1 49 1 48 1 47 1 4 6 1 42 1 41 1 38 1 37 
1 36 1 32 1 31 1 30 1 27 1 26 1 24 1 22 1 21 1 20 1 16 1 13 1 12 1 11 1 8 1 7 1 6 1 4 1 3 1 0 1 ) 


For the field GF(2‘^°^): 

6 k = -316759, Hk = 307, R/. = 126, = 100, g, = qsz, c = #F?(F 2 n)/g. = 2, = 

24,i/(-1.6 • 10®) = 145 


The Reduced Class equation Ws[f*] mod 2: 

( 307 1 306 1 305 1 304 1 303 1 301 1 300 1 299 1 297 1 296 1 294 1 291 1 290 1 288 1 
287 1 285 1 283 1 282 1 28 1 1 277 1 276 1 275 1 274 1 272 1 269 1 267 1 265 1 264 1 2 
63 1 259 1 258 1 256 1 255 1 251 1 247 1 245 1 244 1 243 1 237 1 236 1 233 1 230 1 228 
1 225 1 223 1 221 1 220 1 219 1 218 1 216 1 215 1 213 1 212 1 210 1 208 1 206 1 204 1 
202 1 201 1 200 1 195 1 194 1 193 1 192 1 191 1 189 1 187 1 185 1 184 1 183 1 182 1 181 
1 179 1 175 1 174 1 170 1 169 1 167 1 164 1 163 1 161 1 160 1 152 1 150 1 148 1 146 1 
145 1 142 1 140 1 138 1 136 1 134 1 133 1 130 1 129 1 126 1 125 1 12 4 1 122 1 121 1 

120 1 118 1 115 1 114 1 113 1 112 1 108 1 1 05 1 104 1 103 1 100 1 99 1 98 1 93 1 92 1 

89 1 88 1 87 1 86 1 85 1 84 1 83 1 82 1 81 1 80 1 79 1 78 1 77 1 75 1 7 4 1 73 1 72 1 71 

1 70 1 68 1 67 1 62 1 57 1 52 1 50 1 49 1 48 1 47 1 46 1 44 1 41 1 40 1 39 1 37 1 36 1 

35 1 34 1 33 1 26 1 24 1 23 1 21 1 18 1 17 1 15 1 14 1 13 1 11 1 9 1 8 1 5 1 4 1 3 1 2 1 1 1 0 1 ) 


For the field GF(2®ii); 


6k = -281959, /lA' = 311, R/. = 135, w = 100, g, = g92,c = #E(F2n)/g* = 2- 
5^ Ur,{6K) = 23, i/(-1.6 • 10®) = 128 


The Reduced Class equation Ws[f*] mod 2: 

( 311 1 308 1 302 1 301 1 300 1 298 1 295 1 294 1 292 1 290 1 289 1 287 1 285 1 284 1 276 1 
274 1 272 1 271 1 268 1 264 1 262 1 260 1 258 1 257 1 256 1 255 1 254 1 249 1 247 1 242 1 241 
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1 239 1 235 1 23 3 1 231 1 228 1 223 1 221 1 220 1 218 1 217 1 214 1 209 1 2 07 1 205 1 2o'i 
1 201 1 200 1 199 1 198 1 197 1 196 1 195 1 194 1 190 1 188 1 187 1 186 1 184 1 182 1 , 

180 1 179 1 178 1 177 1 176 1 174 1 172 1 171 1 169 1 168 1 167 1 166 1 165 1 159 1 152 i ig, 

1 148 1 146 1 145 1 143 1 142 1 137 1 135 1 133 1 132 1 131 1 129 1 127 1 125 1 124 1 123 . 

119 1 118 1 117 1 116 1 113 1 111 1 109 1 107 1 106 1 105 1 104 1 102 1 99 1 96 1 95 1 93 , 

91 1 90 1 87 1 85 1 79 1 77 1 76 1 75 1 74 1 71 1 70 1 69 1 66 1 63 1 61 1 56 1 53 1 49 1 43 , 
47 1 43 1 41 1 40 1 35 1 30 1 28 1 27 1 26 1 25 1 24 1 22 1 18 1 15 1 14 1 11 1 9 1 6 1 1 1 0 1 ) 

The main routines of SIMATH which were used in the design are as follows 

sdisccleq: single discriminant, class equation: For building the class equation 

upmirfspecrunivariate polynomial over modular integers root finding: To solve 

iecgnpj:integer elliptic curve of given number of points j-invarint: For getting 
d— invariant of the curve having the given order. 

iecjtoeqsv/iecjtoeq:integer elliptic curve with j -invariant given to equation: For getting 
the defining equation of the curve for which the j -invariant has been computed. 

ccmpcssa: elliptic curvees over modular primes combined Schoof-Shanks algorithin; "po 
find the order of an elliptic curve [Menl]. 

iprniqf: integer prime as a norm in quadratic field: To solve the norm equation of a 
prime. 

iprpdbqf: integer primary positive definite binary quadratic forms. 

For solving the norm equation corresponding to a composite number, as we saw 
the case of design of curves over F2n, we first factorize the number and then use ipprniqf 
(integer prime power as a norm in quadratic field). 


6.4 Conclusions 

After going tlrrough all the aspects involved in the design and implementation of gp 
liptic Curve Cryptosystems and after actual implementation using arithmetic packages 
SIMATH,PARI/GP, we have the following conclusions. 

For implementing cryptosystems over Fan, normal basis ( specifically ONE) representa- 
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tioii is the most suitable one in that, we can do almost all the computations quite efficiently. 
If we can allocate extra memory, we can achieve additional saving in time taken for certain 
computations. 

For implementing arithmetic in our specific routines are more efficient compared 
to those existing in the packages SIMATH and PARI/GP. For implementing the bilinear 
form for multiplication in terms of ONB, assembly level routines are to be written to have 
tlu' maximum mult.s/s('c. Since the design proceduK's hav(' no restricl.ion on the particular 
chosen field, we can always select a field which has an ONB (in fact even a PONB, if 
desired). 

Coming to the case of cryptosystems over F^, the routine's iix SIMATH are suitable and 
are quite efficient for the design of sutable curves. But for implementing the cryptosys- 
tems, the routines of PARI and/or SIMATH can be used. The most time consuming part 
is the computation of Legendre character(symbol) encountered in message imbedding and 
solution of the quadratic congruence 

y ■” ^771 ”b CliVfn ~b ^ \ P') f 

where Xm is the number mk + j whose Xp{xm) = 1 (refer Chapter 4 for message imbed- 
ding). We have very efficient ways of computing n ■ P i.e. n times of a point P. But 
when compared with cryptosystems over Fam, those over Fp can be designed to be more 
secure, but the cncryijtiou time is more. Cryptosystems over F 2 ’'> can also be easily imple- 
mented in hardware because, representation of elements in terms of normal basis reduces 
addition of two elements into modulo 2 addition of the corresponding vectors (XORing) 
and multiplication can be performed in 7ii clock cycles if tlu' biliiu'ar form of multiplication 
cq is fused in hardware which for ONBs demands minimrun number of cell interconnections. 


For the implementation of a full fledged (that is, one. that can be used for real time 
encryption) Elliptic Curve Cryptosystem, all the basic blocks are to be highly optimized e.g. 
the basic field arithmetic routines are to written in assembly language. Our implementation 
was optimized only at the algorithm level. 


63 





Bibliography 


[Abh] Abhyaakar, S.S., Algebraic Geometry for Scientists and Engineers. AMS pub- 
lications. 1984. 

[Alhf] Alhfors, L., Complex Analysis: An Introduction to the Theory of Analytic 
Functions of One Complex Variable. Me Graw Hill, 1979. 

[AtMo] Atkin. O.A.,Morain, F., "Elliptic Curves and Primality Proving", Math. of. 
Comp. Vol-61, No-203, July 1993 29-68. 

[BCIS] Borel, A.,Herz, C.S.,Chowla, S,Iwasawa, K.,Serre, J.P., Seminar on Complex 
Multiplication., Lectxire Notes In Math, Vol-21. Springer Verlag, 1966. 

[Chah] Chahai. J.S., Topics in Number Theory. Plenmn Press. 1986. 

[Cohnl] Cohn. H., A Classical Invitation to Algebraic Numbers and Classfields. 
Springer Verlag Universitext 1978. 

[Cohn2] Cohn. H., A Second Course in Number Theory.Ioh-D. Wiley & sons, 1981. 

[Casse] Cassels, J.W., An Introduction to the Geometry of Numbers. Springer Verlag 
series of comprehensive studies in mathematics. 1987. 

[Pult] Fulton, W., Algebraic Curves. Benjamin & Co. 1969. 

[GaV] Gao, S.,Vanstone, "On Orders of Optimal Normal Basis Generators", Math, of 
Comp. Vol-64, No:211, July 1995, pp. 1227-1233. 

[Heck] Hecke, E., Lectures in the Theory of Algebraic Numbers Springer Verlag GTM 
No-77, 1981. 

[Huse] Husemoller, Elliptic Curves. Springer Verlag GTM No-111 1986. 

[Hasse] Hasse, H., Number Theory (3rd ed). Springer Verlag series of comprehensive 
studies in mathematics. 1979. 


64 



[IrRo] Ireland, K., Rosen, M., A Classical introduction to Modem Number Theory. 
Springer Verlag GTM No-84, 1982. 

[Jones] Jones, B., The Arithmetic of Quadratic Forms. Carus Monograph. No-10, 1961. 

[Kobl] Koblitz, N., A Course in Number Theory and Cryptography. Springer Verlag 
GTM No-114, 1989. 

[Kob2] Koblitz.N, Introduction to Elliptic Curves and Modular Forms. Springer Ver- 
lag GTM No-97, 1984. 

[Kara] Karatsuba, A., Complex Analysis in Number Theory. CRC press, 1995. 

[Langl] Lang, S., Algebra (2nd ed). Addison Welsey, 1984. 

[Lang2] Lang, S., Algebraic Number Theory. Springer Verlag GTM No-110, 1986. 

[LangS] Lang, S., Elliptic Functions. Springer Verlag GTM No-112. 1987. 

[Lang4] Lang, S., Introductioon to Modular forms.SpxingeT Verldig series of comprehen- 
sive studies in mathematics, 1976. 

[LayZ] Lay, G.J.,Zimmer, G.H., "Constructing Elliptic Curves with Given Group Or- 
der over Large Finite Fields", LNCS, vol-877. Algorithmic Algebraic Number The- 
ory. Springer Verlag, 1994. 

[LidN] Lidl, Niedderieter, H., Finite Fields, Theory and Applications, Cambridge Uni- 
versity Press, 1991. 

[Menl] Menezes, A., Elliptic Curve Cryptosystems. Kluwer Academic Publications. 
1994. 

[Men2] Menezes, A. (Ed), Applications of Finite Fields. Kluwer Academic Publications. 
1994. 

[McEl] Me Elice, Finite Fields for Computer Scientists and Engineers. Kluwer Aca- 
demic Publications, 1992. 

[MOVW] Menezes, A.,Onyszchuck, Vanstone, Wilson, "Optimal Normal Bases in 
GF(p''')", Discrete AppHed Math. Vol-22, (1988/1989), 149-161. 

[More] Moreno, C., Algebraic Curves Over Finite Fields. Cambridge University Press, 
1991. 

[Ono] Ono, T., An Introductioon to Algebraic Number Theory, 1988. 


65 



[POZe] Pohst, Zassenhaus, Algorithmic Algebraic Number Theory. Encyclopedia of 
Mathematics and its Applications, Cambridge University Press, 1993. 

[Poll] Pollard, H., The Theory of Algebraic Numbers. Cams Monograph No-9 1961. 

[Rose] Rose, H.E., A Course in Number Theory. Oxford University Press, 1994. 

[Silvl] Silverman, J.H., The Arithmetic of Elliptic Curves Springer Verlag GTM No- 
106, 1986. 

[Silv2] Silverman, J.H., Advanced Topics in The Arithmetic of Elliptic Curves. 
Springer Verlag GTM No-151, 1994. 

[Shafl] Shafarevich, I.R., Number Theory I. Fundamental problems, Ideas and The- 
ories. Springer Verlag encyclopedia of mathematics series, 1995. 

[Shaf2] Shafarevich, I.R., Number Theory II. Algebraic Number Theory. Springer 
Verlag encyclopedia of mathematics series, 1991. 

[Weil] Weil, A.. Basic Number Theory. Springer Verlag Universitext, 1978. 


66 



